{
	"id": "d47c3a2e-c95a-425c-bd24-57f06382800b",
	"created_at": "2026-04-06T00:15:48.507633Z",
	"updated_at": "2026-04-10T03:31:18.92293Z",
	"deleted_at": null,
	"sha1_hash": "ace68cd5f90719a18d84ef8a42f90370629fcd22",
	"title": "Black Energy Crypto",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 372474,
	"plain_text": "Black Energy Crypto\r\nBy Julia Wolf\r\nPublished: 2010-03-03 · Archived: 2026-04-05 23:07:03 UTC\r\nIntroduction\r\nBlack Energy has been in the news again recently (well, it was recent back when I wrote the first draft of this).\r\nI’m not here to talk about Citigroup, I’m here to talk about cryptography, and how to fail at it. That being said, allegedly\r\nCitibank was “hacked” using Black Energy, according to the Wall Street Journal. Citigroup flat out denies it, and aside from\r\nthis assertion from the WSJ, there’s no other information. But it doesn’t make sense that “Black Energy” itself, or what is\r\ncommonly referred to by that name, was used for some kind of banking attack; It’s a DDoS bot.\r\nNow, it could actually be Black Energy that’s responsible, or something different which just looks like Black Energy. But\r\nlately, a very Black Energy-like DDoS “module” tends to get installed along with other malware such as Zeus, via the “Yes\r\nExploit System“, or via Oficla/Sasfis, and like every bot, it can download and execute arbitrary files upon command. I have\r\nno idea what, if anything, happened at Citibank, but I speculate that a Black Energy bot was just along for the ride. An\r\ninfection of one bot, quickly leads to an infestation of many. [cute metaphor about infestations goes here] It’s kinda like a\r\nbig ball of malware goo.\r\nAnalogy\r\nOk, so you remember how the five robot lions in the show “Voltron” would form a giant robot to battle space monsters?\r\nEach lion had its own distinct identity, like one was green, and another one was pink, etc. but they could combine to form a\r\nsingle robot, with a distinct identity apart from each individual lion. Ok, well malware also combines together to form a\r\ngiant robot.\r\n[I was going to make the same analogy using the Constructicons as examples, they're evil bots you see… but that's just a little too obscure.]\r\nAnyway, so for something less ambiguous… onto the technical part!\r\nThe Technical Part\r\nExposition\r\nI’m never certain about how much information I should publicly reveal about how much is known about a particular\r\nmalware. It’s very ego gratifying to say: “Hey, the way you did this thing sucks.”\r\nI’m certain that word will get back to the original malware author(s), and they’ll fix the bug(s).\r\nSo, in the case of Black Energy, or the bot formerly known as Black Energy, someone [Cr4sh?] already got a clue that they\r\nwere doing it wrong, and fixed it. So this crypto trick I’m about to reveal below doesn’t work anymore.\r\nUpdate\r\nCr4sh — author of the original Black Energy 1.x bot(s) — released a public statement, for those who can’t read Russian (or\r\nread it less well than even I do), I’ll summarize the relivant parts:\r\nBlack Energy was created as a simple DDoS bot without any rootkits, infectors, spyware, etc.\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 1 of 31\n\nCr4sh doesn’t how how this relates to stealing banking information.\r\nThe source code was available to many private parties, so someone must have modified it.\r\nOnly an idiot would put their name on a criminal bot.\r\nCr4sh says he’s not linked to any botnet networks, programs, or organizations.\r\nBlack Energy – это DDoS-бот, который был результатом проведенной на заказ (году в 2006-2007) работы,\r\nпо созданию простого и компактного рабочего инструмента, без всяких руткитов, инфекторов и каких бы\r\nто ни было spyware-функций.\r\nКаким образом DDoS-бот относится к краже банковской информации – я в душе не ебу. Однако, тот факт,\r\nчто его исходники были доступны многим людям во всевозможных [полу]приватных тусовках, может\r\nозначать, что кто-то заточил его под свои нужды. Подозревать же в причастности к криминальным\r\nмахинациям автора бота, чей автограф стоял на публично доступных билдах 3-х летней давности, может\r\nтолько полный идиот.\r\nPS: я же в настоящее время никаким боком не связан с ботнет-сетями и программами для их организации.\r\nExposition\r\nSomeone sent me a .pcap of some recent encrypted Black Energy communications; And had an urgent need to know what\r\nwas being transmitted. But they didn’t have a copy of the bot which spewed forth this data, and the associated C\u0026C was\r\ndown.\r\nIn any case, sometimes it’s usually a bit faster to just attack the crypto head-on, rather than reverse engineering a whole\r\nprogram looking for the decryption routine. This is because most malware authors (and sadly, many commercial software\r\nauthors too) implement the crypto routine(s) incorrectly, making them fairly trivial to crack. So, rather than track down a\r\nsample and reversing it, I just did some math on the cyphertexts, looking for common mistakes.\r\nThe Actual Technical Part\r\nThere was nothing known [to me or Google] about the encryption being used. But I noticed some very strong patterns in the\r\ndata. It was obviously some kind of stream cipher, but not RC4 from what I can tell. I ran all the usual tests (add, subtract,\r\nor xor with repeating or incrementing patterns), it wasn’t one of those.\r\nStream Cypher\r\nThis version of Black energy is reusing the same keystream for multiple plaintexts. This is an absolutely fatal flaw for any\r\nstream cypher; Take a look at this example to see why. I say it’s obviously a stream cypher with a constant key, because if\r\nyou XOR two cyphertexts together, the keysteam cancels out, and at every location there was a byte in one plaintext, which\r\nis the same as the byte at the same location in the other, you get a NULL . And transpositionally, if there was a NULL byte in\r\neither plaintext, the plaintext byte from the opposite plaintext will emerge.\r\nRemember this identity: (Message1 ⊕ Keystream) ⊕ (Message2 ⊕ Keystream) = Message1 ⊕ Message2\r\nFor Example\r\n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |................|\r\n00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000080 8a d1 0b 61 8a d1 0b 61 8a d1 0b 61 8a d1 0b 61 |...a...a...a...a|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 2 of 31\n\n00000090 8a d1 59 61 8b d1 0b 61 4c d2 09 61 89 d1 0b 61 |..Ya...aL..a...a|\r\n000000a0 9c d5 0b 61 8a d1 0b 61 8a d1 09 61 80 d1 0b 61 |...a...a...a...a|\r\n000000b0 09 d9 57 61 ab d1 0b 61 8f dd 6a 61 9e d1 0b 61 |..Wa...a..ja...a|\r\n000000c0 8a d1 37 61 8e d1 0b 61 8a d1 0d 61 8a d1 0b 61 |..7a...a...a...a|\r\n000000d0 fe ba 90 af 8b d1 0b 61 52 69 63 68 a9 df a9 c7 |.......aRich....|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\n000000f0 79 42 b3 48 00 00 00 00 50 45 00 00 ac 01 0a 21 |yB.H....PE.....!|\r\n00000100 9e 27 a1 42 00 0e 00 00 00 3a 00 00 e0 00 0e 21 |.'.B.....:.....!|\r\n00000110 a7 11 07 0a 00 1e 00 00 00 30 00 00 00 00 00 10 |.........0......|\r\n00000120 41 00 00 00 00 12 00 00 04 20 00 00 00 00 00 10 |A........ ......|\r\n00000130 04 10 00 00 00 02 00 00 04 70 00 00 00 04 00 00 |.........p......|\r\n00000140 04 00 00 00 02 00 00 04 00 50 10 00 00 14 00 00 |.........P......|\r\n00000150 00 00 10 00 02 10 00 04 00 00 10 00 10 10 00 00 |................|\r\n00000160 10 26 10 00 62 10 00 00 08 22 00 00 a4 00 00 00 |.\u0026..b....\"......|\r\n00000170 10 23 00 00 63 00 00 00 00 21 00 00 64 00 00 00 |.#..c....!..d...|\r\n00000180 00 00 00 00 00 00 00 00 00 60 00 00 bc 00 00 00 |.........`......|\r\n00000190 00 00 00 00 00 00 00 00 00 40 00 00 20 01 00 00 |.........@.. ...|\r\n000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n000001c0 00 20 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 |. ..............|\r\n000001d0 00 20 00 00 5c 00 00 00 00 00 00 00 00 00 00 00 |. ..\\...........|\r\n000001e0 2e 74 65 78 74 00 00 00 00 0d 00 00 00 10 00 00 |.text...........|\r\n000001f0 2e 7a 65 78 74 04 00 00 dd 0d 00 00 00 10 00 00 |.zext...........|\r\n00000200 00 0e 00 00 20 04 00 60 2e 72 64 61 74 61 00 00 |.... ..`.rdata..|\r\n00000210 72 06 00 00 20 20 00 60 2e 7a 64 61 74 73 00 00 |r... .`.zdats..|\r\n00000220 73 03 00 00 00 20 00 00 00 04 00 00 40 12 00 40 |s.... ......@..@|\r\n00000230 2e 64 61 74 61 00 00 00 70 2e 00 00 40 30 00 40 |.data...p...@0.@|\r\n00000240 2e 42 61 74 61 1a 00 00 f0 09 00 00 00 30 00 00 |.Bata........0..|\r\n00000250 00 02 00 00 40 16 00 c0 2e 72 65 6c 6f 63 00 00 |....@....reloc..|\r\n00000260 4c 01 00 00 40 60 00 c0 2e 70 65 6c 6f 23 00 00 |L...@`...pelo#..|\r\n00000270 86 01 00 00 00 40 00 00 00 02 00 00 40 18 00 42 |.....@......@..B|\r\n00000280 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 |............@..B|\r\n00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\nWow, that sure does look like two EXE’s XOR’d together, doesn’t it?\r\nStep By Step Example\r\nMD5 Timestamp Source IP:Port\r\nDestination\r\nIP:Port\r\nSize Descriptio\r\n3e736a6d3f8fe6cf7e54a7658cba9352 1253064020.308867 88.214.243.45:80 192.168.0.2:1038 785\r\nEncrypted\r\nXML\r\n5394487c93a748e6b0b182101ba56a56 1253064023.563605 88.214.243.45:80 192.168.0.2:1039 11264\r\nEncrypted\r\n“ddos”\r\nd15af19966a4782ede44a1e62f8cf70b 1253064029.663532 88.214.243.45:80 192.168.0.2:1040 6657\r\nEncrypted\r\n“http”\r\n5730dbddc77de80d3d7e053699cb2136 1253064034.512609 88.214.243.45:80 192.168.0.2:1041 16896\r\nEncrypted\r\n“syn”\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 3 of 31\n\nSo, since EXE files are mostly NULLs at the beginning… And the “syn” one seems to have the most NULLs at the\r\nbeginning… It’s the one that yields the most amount of printable text.\r\nhexdump -C Config_x_syn\r\n00000000 71 65 e8 6d 6f 20 76 65 76 73 69 6f 91 c2 22 31 |qe.mo vevsio..\"1|\r\n00000010 96 30 22 3f 3e 0a 3c 62 2b 65 72 6e 65 6c 3e 0a |.0\"?\u003e.\u003cb+ernel\u003e.|\r\n00000020 3c 70 6c 75 67 69 6e 73 3e 0a 3c 70 6c 75 67 69 |\u003cplugins\u003e.\u003cplugi|\r\n00000030 6e 3e 0a 3c 6e 61 6d 65 3e 64 64 6f 9b 3c 2f 6e |n\u003e.\u003cname\u003eddo.\u003c/n|\r\n00000040 6f 72 df 30 0a 88 7f a8 53 cb 68 23 a3 1f 65 54 |or.0....S.h#..eT|\r\n00000050 46 05 45 02 01 06 08 1c 5f 67 1c 4c 11 02 1b 08 |F.E....._g.L....|\r\n00000060 1d 4e 5c 6f 1c 02 19 1b 47 00 00 1e 4e 73 3d 41 |.N\\o....G...Ns=A|\r\n00000070 00 0a 5a 0d 5a 79 7d 36 0b 6e 61 6d 65 3e 0a 3c |..Z.Zy}6.name\u003e.\u003c|\r\n00000080 11 0a be 86 4a 61 cc 98 12 32 8d d0 46 7c d1 cf |....Ja...2..F|..|\r\n00000090 49 6c c1 ac 1d 21 d2 ca 95 66 96 c8 1f 04 9e d6 |Il...!...f......|\r\n000000a0 5c 73 98 cf 4f 30 a8 9a ce 67 92 c3 16 7d db c8 |\\s..O0...g...}..|\r\n000000b0 1f 21 cd c7 68 6b 9c ac 1a 74 a7 d4 57 67 cd c8 |.!..hk...t..Wg..|\r\n000000c0 18 33 c2 89 54 6b d0 d5 4f 6d 96 98 28 32 8d d6 |.3..Tk..Om..(2..|\r\n000000d0 3e 1c 04 01 4d 30 a8 9a 2f 70 6c 75 67 69 6e 73 |\u003e...M0../plugins|\r\n000000e0 3e 0a 3c 63 6d 64 73 3e 5a 79 2f 63 21 65 77 3e |\u003e.\u003ccmds\u003eZy/c!ew\u003e|\r\n000000f0 73 7e c3 24 67 5f 64 61 74 61 3e 0a dc 64 6a 4e |s~.$g_data\u003e..djN|\r\n00000100 78 3f 3b 7e 63 7e 5f 73 69 40 65 3e 31 30 30 30 |x?;~c~_si@e\u003e1000|\r\n00000110 90 3f 74 63 70 4f 73 69 7a 45 3e 0d 0a 3c 74 73 |.?tcpOsizE\u003e..\u003cts|\r\n00000120 70 4f 66 72 65 73 3e 35 34 3c 2f 74 63 70 5f 66 |pOfres\u003e54\u003c/tcp_f|\r\n00000130 76 65 71 3e 0d 0a 3c 74 63 00 5f 74 68 76 65 61 |veq\u003e..\u003ctc._thvea|\r\n00000140 64 73 3e 35 3e 2f 74 67 70 5f 64 68 72 75 61 64 |ds\u003e5\u003e/tgp_dhruad|\r\n00000150 73 3e 1d 0a 3c 65 64 70 5f 73 69 7a 75 3e 31 30 |s\u003e..\u003cedp_sizu\u003e10|\r\n00000160 20 16 3c 2f 17 64 70 5f 7b 4b 7a 65 8a 0d 0a 3c | .\u003c/.dp_{Kze...\u003c|\r\n00000170 75 64 70 5f 66 72 65 71 3e 35 30 3c 2f 75 64 70 |udp_freq\u003e50\u003c/udp|\r\n00000180 5f 66 72 65 71 3e 0d 0a 3c 15 64 70 e3 74 68 72 |_freq\u003e..\u003c.dp.thr|\r\n00000190 65 61 64 73 3e 35 3c 2f 75 64 70 5f 74 68 72 65 |eads\u003e5\u003c/udp_thre|\r\n000001a0 61 64 73 3e 0d 0a 3c 69 63 6d 70 5f 73 69 7a 65 |ads\u003e..\u003cicmp_size|\r\n000001b0 3e 31 30 30 30 3c 2f 69 63 6d 70 5f 73 69 7a 65 |\u003e1000\u003c/icmp_size|\r\n000001c0 3e 2d 0a 3c dd 63 6d 70 5f 66 72 65 71 3e 35 30 |\u003e-.\u003c.cmp_freq\u003e50|\r\n000001d0 3c 2f 69 63 6d 70 5f 66 72 65 71 3e 0d 0a 3c 69 |\u003c/icmp_freq\u003e..\u003ci|\r\n000001e0 4d 19 15 27 00 68 72 65 61 69 73 3e 35 2c 2f 69 |M..'.hreais\u003e5,/i|\r\n000001f0 63 63 70 5f 74 6c 72 65 61 64 73 3e 0d 0a 3c 68 |ccp_tlreads\u003e..\u003ch|\r\n00000200 74 74 70 5f 46 72 65 11 10 43 54 51 48 4e 68 74 |ttp_Fre..CTQHNht|\r\n00000210 06 76 5f 66 72 45 71 3e 0d 02 3c 68 74 66 70 5f |.v_frEq\u003e..\u003chtfp_|\r\n00000220 74 68 72 65 61 64 73 3e 35 3c 2f 68 34 74 70 1f |threads\u003e5\u003c/h4tp.|\r\n00000230 5a 0c 13 11 00 64 73 3e 4c 01 64 64 6f 43 3e 0a |Z....ds\u003eL.ddoC\u003e.|\r\n00000240 3c 4e 74 74 70 24 3c 68 74 74 70 5f 66 72 65 71 |\u003cNttp$\u003chttp_freq|\r\n00000250 3e 33 30 3c 6f 68 74 b4 5e 2d 03 1e 0a 12 3e 0d |\u003e30\u003coht.^-....\u003e.|\r\n00000260 46 3d 68 74 74 10 5f 74 68 70 65 61 64 33 3e 32 |F=htt._thpead3\u003e2|\r\n00000270 3c 2f 68 74 74 70 5f 74 68 72 65 61 24 73 3e 7e |\u003c/http_threa$s\u003e~|\r\n00000280 2f 68 74 74 70 3e 0a 3c 73 79 6e 3e 3c 73 79 6e |/http\u003e.\u003csyn\u003e\u003csyn|\r\n00000290 5f 66 72 65 71 3e 32 30 3c 2f 73 79 6e 5f 66 72 |_freq\u003e20\u003c/syn_fr|\r\n000002a0 65 71 3e 0d 0a 3c 73 79 6e 5f 74 68 72 65 61 64 |eq\u003e..\u003csyn_thread|\r\n000002b0 73 3e 33 3c 2f 73 79 6e 5f 74 68 72 65 61 64 73 |s\u003e3\u003c/syn_threads|\r\n000002c0 3e 3c 2f 73 79 6e 3e 0a 3c 2f 70 6c 67 5f 64 61 |\u003e\u003c/syn\u003e.\u003c/plg_da|\r\n000002d0 74 61 3e 0a 3c 73 6c 65 65 70 66 72 65 71 3e 39 |ta\u003e.\u003csleepfreq\u003e9|\r\n000002e0 30 30 3c 2f 73 6c 65 65 70 66 72 65 71 3e 0a 3c |00\u003c/sleepfreq\u003e.\u003c|\r\n000002f0 69 70 3e 31 32 38 2e 31 33 30 2e 35 36 2e 32 32 |ip\u003e128.130.56.22|\r\n00000300 3c 2f 69 70 3e 0a 3c 2f 62 6b 65 72 6e 65 6c 3e |\u003c/ip\u003e.\u003c/bkernel\u003e|\r\n00000310 0a |.|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 4 of 31\n\n00000311\r\nmd5sum Config_x_syn\r\n0880df84c5b886cbdd0e0be01deed2f6 Config_x_syn\r\nWell, that certainly looks like XML doesn’t it?\r\nFixup the XML\r\nYou can also approach this from the EXE side of things, but most of you are probably better at reading XML than EXE.\r\nXML also provides for a lot of redundant plaintext.\r\nGeneral Procedue\r\nSince it’s XML, you know every tag must match up, so one can fix the broken tags easily.\r\nMerge the all of the known plaintext you can find from the config files together and make the obvious fixes.\r\nXOR this back against the original cyphertext, and you get a big chunk of the keystream.\r\nThen XOR this partial keystream against the EXEs.\r\nFix up the EXE headers, so that most of the fields make sense, try to use the RICH header if present, and make sure\r\n“.text”, “.data”, “.reloc” are spelled correctly, etc.\r\nIf you have a large malware zoo, you can look for EXE files from September, that are 11264, 6657, or 16896 bytes\r\nlong, and match up mostly within the first few hundred bytes to this.\r\n(The quick way is to just XOR the plaintext you’ve got so far, against the other plaintext samples in your zoo, and see\r\nwhich one(s) have the lowest entropy.\r\nIt’s probably one of those. Otherwise you can just try them all if it’s not too many (and in this case it’s not too\r\nmany).)\r\nIf you don’t have a sample of one of the EXEs, then just re- XOR again the EXE plaintext you’ve recovered so far\r\nwith the original cyphertext.\r\nAnd then XOR that partial keystream back against the config file.\r\nDo the same sort of fix-ups you did before (you’ve got some more bytes now, the ones you just fixed in the EXE).\r\nThen re- XOR this back the other way, lather rinse repeat, until you’re down to just the bits you don’t know between\r\nall four of the plaintexts.\r\nAt this point, you’ll have recovered most of the plaintext/keystream, without knowing the\r\npassword or even the cypher used! This trick works for any cypher that is\r\nbasically $randomness ^ $plaintext , where $randomness gets used more than\r\nonce. There’s a reason the one-time-pad is one-time-only.\r\nStep-by-step Example\r\nIf you don’t have a hex editor, you can use any 8-bit clean text editor to make the changes, be careful not to add or remove\r\nany characters, otherwise everything after that point will be shifted. (I use Joe as my editor, believe it or not.)\r\n[By the way, if you think this part looks like it took me a long time to write. This was actually the least time-intensive part. The introductory\r\nparagraphs up at the beginning took the longest to write.]\r\n00000000 71 65 e8 6d 6f 20 76 65 76 73 69 6f 91 c2 22 31 |qe.mo vevsio..\"1|\r\n00000010 96 30 22 3f 3e 0a 3c 62 2b 65 72 6e 65 6c 3e 0a |.0\"?\u003e.\u003cb+ernel\u003e.|\r\n…\r\n00000300 3c 2f 69 70 3e 0a 3c 2f 62 6b 65 72 6e 65 6c 3e |\u003c/ip\u003e.\u003c/bkernel\u003e|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 5 of 31\n\nWe know the first two bytes of the EXE are “ MZ “, so XOR “ qe ” with “ MZ ” to get “ \u003c? “\r\nBut really, that whole first line can’t be anything other than “ \u003c?xml version=\"1.0\"?\u003e “\r\nThere is a “ \u003c/bkernel\u003e ” tag at the end, so that must be a “ \u003cbkernel\u003e ” tag at the beginning.\r\n00000030 6e 3e 0a 3c 6e 61 6d 65 3e 64 64 6f 9b 3c 2f 6e |n\u003e.\u003cname\u003eddo.\u003c/n|\r\n00000040 6f 72 df 30 0a 88 7f a8 53 cb 68 23 a3 1f 65 54 |or.0....S.h#..eT|\r\n…\r\n00000070 00 0a 5a 0d 5a 79 7d 36 0b 6e 61 6d 65 3e 0a 3c |..Z.Zy}6.name\u003e.\u003c|\r\n…\r\n000000d0 3e 1c 04 01 4d 30 a8 9a 2f 70 6c 75 67 69 6e 73 |\u003e...M0../plugins|\r\nIt’s safe to assume that “ ddo\\x9B ” is really “ ddos “.\r\nThe closing tag “ \u003c/nor\\xDF0 ” must be “ \u003c/name\u003e “\r\nAnd further down, “ 6\\x0Bname\u003e ” can be either “ \u003cname\u003e ” or “ \u003c/name\u003e “. We’ll figure it out later.\r\n“ \\x9A/plugins\u003e ” is \"\u003c/plugins\u003e “.\r\n000000f0 73 7e c3 24 67 5f 64 61 74 61 3e 0a dc 64 6a 4e |s~.$g_data\u003e..djN|\r\n00000100 78 3f 3b 7e 63 7e 5f 73 69 40 65 3e 31 30 30 30 |x?;~c~_si@e\u003e1000|\r\n00000110 90 3f 74 63 70 4f 73 69 7a 45 3e 0d 0a 3c 74 73 |.?tcpOsizE\u003e..\u003cts|\r\n00000120 70 4f 66 72 65 73 3e 35 34 3c 2f 74 63 70 5f 66 |pOfres\u003e54\u003c/tcp_f|\r\n00000130 76 65 71 3e 0d 0a 3c 74 63 00 5f 74 68 76 65 61 |veq\u003e..\u003ctc._thvea|\r\n00000140 64 73 3e 35 3e 2f 74 67 70 5f 64 68 72 75 61 64 |ds\u003e5\u003e/tgp_dhruad|\r\n00000150 73 3e 1d 0a 3c 65 64 70 5f 73 69 7a 75 3e 31 30 |s\u003e..\u003cedp_sizu\u003e10|\r\n“ djNx?;~c~_si@e\u003e1000\\x90?tcpOsizE\u003e ” looks like a pair of tags named “ tcp_size “, so that becomes:\r\n“ djNx?\u003ctcp_size\u003e1000\u003c/tcp_size\u003e “\r\nBetween “ \u003ctspOfres\u003e54\u003c/tcp_fveq\u003e ” looks like a pair of tags named “ tcp_freq “, so this becomes:\r\n“ \u003ctcp_freq\u003e54\u003c/tcp_freq\u003e “\r\n“ \u003ctic\\x00_thveads\u003e5\u003e/tgp_dhruads\u003e ” looks like it says “ tcp_threads “, so this becomes:\r\n“ \u003ctcp_threads\u003e5\u003c/tcp_threads\u003e “, and\r\nthe end of line should be “ \\x0D\\x0A ” rather than “ \\x1D\\x0A “\r\n00000150 73 3e 1d 0a 3c 65 64 70 5f 73 69 7a 75 3e 31 30 |s\u003e..\u003cedp_sizu\u003e10|\r\n00000160 20 16 3c 2f 17 64 70 5f 7b 4b 7a 65 8a 0d 0a 3c | .\u003c/.dp_{Kze...\u003c|\r\n00000170 75 64 70 5f 66 72 65 71 3e 35 30 3c 2f 75 64 70 |udp_freq\u003e50\u003c/udp|\r\n00000180 5f 66 72 65 71 3e 0d 0a 3c 15 64 70 e3 74 68 72 |_freq\u003e..\u003c.dp.thr|\r\n“ \u003cedp_sizu\u003e10 \\x16\u003c/\\x17dp_{Kze\\x8A ” looks like it says “ udp_size ” (This follows a naming pattern established\r\nby “ tcp_size ” above)\r\nSo, fixing those tags:\r\n“ \u003cudp_size\u003e10 \\x16\u003c/udp_size\u003e “, and if it’s following the same pattern as “ tcp_size ” above, then the number\r\nwithin the tags is probably “ 1000 “\r\n“ \u003cudp_size\u003e1000\u003c/udp_size\u003e “\r\n“ \u003cudp_freq\u003e50\u003c/udp_freq\u003e ” That looks just right… it also implies that the “ \u003ctcp_freq\u003e54\u003c/tcp_freq\u003e ” from\r\nabove should really be:\r\n“ \u003ctcp_freq\u003e50\u003c/tcp_freq\u003e “\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 6 of 31\n\n00000180 5f 66 72 65 71 3e 0d 0a 3c 15 64 70 e3 74 68 72 |_freq\u003e..\u003c.dp.thr|\r\n00000190 65 61 64 73 3e 35 3c 2f 75 64 70 5f 74 68 72 65 |eads\u003e5\u003c/udp_thre|\r\n000001a0 61 64 73 3e 0d 0a 3c 69 63 6d 70 5f 73 69 7a 65 |ads\u003e..\u003cicmp_size|\r\n000001b0 3e 31 30 30 30 3c 2f 69 63 6d 70 5f 73 69 7a 65 |\u003e1000\u003c/icmp_size|\r\n“ \u003c\\x15dp\\xE3threads\u003e5\u003c/udp_threads\u003e ” should obviously be:\r\n“ \u003cudp_threads\u003e5\u003c/udp_threads\u003e “, and the number matches with “ tcp_threads ” above.\r\n“ \u003cicmp_size\u003e1000\u003c/icmp_size\u003e- ” just needs the “ - ” changed back to a “ \\x0D ” end of line character.\r\n000001c0 3e 2d 0a 3c dd 63 6d 70 5f 66 72 65 71 3e 35 30 |\u003e-.\u003c.cmp_freq\u003e50|\r\n000001d0 3c 2f 69 63 6d 70 5f 66 72 65 71 3e 0d 0a 3c 69 |\u003c/icmp_freq\u003e..\u003ci|\r\n000001e0 4d 19 15 27 00 68 72 65 61 69 73 3e 35 2c 2f 69 |M..'.hreais\u003e5,/i|\r\n000001f0 63 63 70 5f 74 6c 72 65 61 64 73 3e 0d 0a 3c 68 |ccp_tlreads\u003e..\u003ch|\r\n00000200 74 74 70 5f 46 72 65 11 10 43 54 51 48 4e 68 74 |ttp_Fre..CTQHNht|\r\n“ \u003c\\xDDcmp_freq\u003e50\u003c/icmp_freq\u003e ” is obviously “ \u003cicmp_freq\u003e50\u003c/icmp_freq\u003e “\r\nBased on everything so far, we can say that\r\n“ \u003ciM\\x19\\x15'\\x00hreais\u003e5,/iccp_tlreads\u003e ” is really:\r\n“ \u003cicmp_threads\u003e5\u003c/icmp_threads\u003e “\r\n00000200 74 74 70 5f 46 72 65 11 10 43 54 51 48 4e 68 74 |ttp_Fre..CTQHNht|\r\n00000210 06 76 5f 66 72 45 71 3e 0d 02 3c 68 74 66 70 5f |.v_frEq\u003e..\u003chtfp_|\r\n“ \u003chttp_Fre\\x11\\x10CTQHNht\\x06v_frEq\u003e\\x0D\\x02 ” is clearly:\r\n“ \u003chttp_freq\u003eCTQ\u003c/http_freq\u003e\\x0D\\x0A ” well, not quite so clearly, it looks like there’s a three digit number that\r\ngoes there, not 1000 as above\r\n00000220 74 68 72 65 61 64 73 3e 35 3c 2f 68 34 74 70 1f |threads\u003e5\u003c/h4tp.|\r\n00000230 5a 0c 13 11 00 64 73 3e 4c 01 64 64 6f 43 3e 0a |Z....ds\u003eL.ddoC\u003e.|\r\n“ \u003chtfp_threads\u003e5\u003c/h4tp\\x1FZ\\x0C\\x13\\x11\\x00ds\u003eLx01ddoC\u003e ” Well, this first part is obvious:\r\n“ \u003chttp_threads\u003e5\u003c/http_threads\u003eL\\x01ddoC\u003e “\r\nAnd then that’s probably the closing tag to “ \u003cddos\u003e “, so we get:\r\n“ \u003chttp_threads\u003e5\u003c/http_threads\u003e\u003c/ddos\u003e “\r\n00000240 3c 4e 74 74 70 24 3c 68 74 74 70 5f 66 72 65 71 |\u003cNttp$\u003chttp_freq|\r\n00000250 3e 33 30 3c 6f 68 74 b4 5e 2d 03 1e 0a 12 3e 0d |\u003e30\u003coht.^-....\u003e.|\r\n00000260 46 3d 68 74 74 10 5f 74 68 70 65 61 64 33 3e 32 |F=htt._thpead3\u003e2|\r\n00000270 3c 2f 68 74 74 70 5f 74 68 72 65 61 24 73 3e 7e |\u003c/http_threa$s\u003e~|\r\n00000280 2f 68 74 74 70 3e 0a 3c 73 79 6e 3e 3c 73 79 6e |/http\u003e.\u003csyn\u003e\u003csyn|\r\n00000290 5f 66 72 65 71 3e 32 30 3c 2f 73 79 6e 5f 66 72 |_freq\u003e20\u003c/syn_fr|\r\nSo, this looks like there’s a pair of tags like “ \u003chttp\u003e ” stuff “ \u003c/http\u003e ” and more “ http_freq ” and\r\n“ http_threads ” stuff…\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 7 of 31\n\n“ \u003cNttp$\u003chttp_freq\u003e30\u003coht\\xB4^-\\x03\\x1E\\x0A\\x12\\x3E\\x0D “\r\n“ F=htt\\x10_thpead3\u003e2\u003c/http_threa$s\u003e~/http\u003ex\\0A “\r\nSo that mostly becomes:\r\n“ \u003chttp\u003e\u003chttp_freq\u003e30\u003c/http_freq\u003eF\u003chttp_threads\u003e2\u003c/http_threads\u003e\u003c/http\u003e “\r\nAll the rest of the file looks fine… so near the beginning where it says:\r\n000000e0 3e 0a 3c 63 6d 64 73 3e 5a 79 2f 63 21 65 77 3e |\u003e.\u003ccmds\u003eZy/c!ew\u003e|\r\n000000f0 73 7e c3 24 67 5f 64 61 74 61 3e 0a dc 64 6a 4e |s~.$g_data\u003e..djN|\r\n00000100 78 3f 3b 7e 63 7e 5f 73 69 40 65 3e 31 30 30 30 |x?;~c~_si@e\u003e1000|\r\n“ \u003ccmds\u003eZy/c!ew\u003es~\\xC3$g_data\u003e\\x0A ” based upon the rest of the file, that should probably be:\r\n“ \u003ccmds\u003eZ\u003c/cmds\u003es\u003cplg_data\u003e ” the EOL character used after the closing tag(s) of the larger structures is “ \\x0A ”\r\nrather than a “ \\x0D\\x0A ” after each config option.\r\nSo, the “ s ” is probably a “ \\x0A “\r\nIf this is also true of all opening tags, then the “ Z ” in commands should be a “ \\x0A ” also.\r\nSo, do all of the tags balance? There’s a closing “ \u003c/ddos\u003e ” tag without an opening tag. If this XML document is\r\nwell formed, the opening tag should go here:\r\n“ \u003cplg_data\u003e\\x0A\\xDCdjNx?\u003ctcp_size\u003e ” between the opening “ \u003cplg_data\u003e ” and “ \u003ctcp_size\u003e ” tags.\r\n“ \u003cplg_data\u003e\\x0A\u003cddos\u003e\u003ctcp_size\u003e ” It fits just right.\r\n(If you were paying close attention, you may have noticed that many of the corrected bytes, differ from the original by only\r\na single bit.)\r\nRecap\r\nSo let’s see what we have so far:\r\n00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |\u003c?xml version=\"1|\r\n00000010 2e 30 22 3f 3e 0a 3c 62 6b 65 72 6e 65 6c 3e 0a |.0\"?\u003e.\u003cbkernel\u003e.|\r\n00000020 3c 70 6c 75 67 69 6e 73 3e 0a 3c 70 6c 75 67 69 |\u003cplugins\u003e.\u003cplugi|\r\n00000030 6e 3e 0a 3c 6e 61 6d 65 3e 64 64 6f 73 3c 2f 6e |n\u003e.\u003cname\u003eddos\u003c/n|\r\n00000040 61 6d 65 3e 0a 88 7f a8 53 cb 68 23 a3 1f 65 54 |ame\u003e....S.h#..eT|\r\n00000050 46 05 45 02 01 06 08 1c 5f 67 1c 4c 11 02 1b 08 |F.E....._g.L....|\r\n00000060 1d 4e 5c 6f 1c 02 19 1b 47 00 00 1e 4e 73 3d 41 |.N\\o....G...Ns=A|\r\n00000070 00 0a 5a 0d 5a 79 7d 36 0b 6e 61 6d 65 3e 0a 3c |..Z.Zy}6.name\u003e.\u003c|\r\n00000080 11 0a be 86 4a 61 cc 98 12 32 8d d0 46 7c d1 cf |....Ja...2..F|..|\r\n00000090 49 6c c1 ac 1d 21 d2 ca 95 66 96 c8 1f 04 9e d6 |Il...!...f......|\r\n000000a0 5c 73 98 cf 4f 30 a8 9a ce 67 92 c3 16 7d db c8 |\\s..O0...g...}..|\r\n000000b0 1f 21 cd c7 68 6b 9c ac 1a 74 a7 d4 57 67 cd c8 |.!..hk...t..Wg..|\r\n000000c0 18 33 c2 89 54 6b d0 d5 4f 6d 96 98 28 32 8d d6 |.3..Tk..Om..(2..|\r\n000000d0 3e 1c 04 01 4d 30 a8 3c 2f 70 6c 75 67 69 6e 73 |\u003e...M0.\u003c/plugins|\r\n000000e0 3e 0a 3c 63 6d 64 73 3e 0a 3c 2f 63 6d 64 73 3e |\u003e.\u003ccmds\u003e.\u003c/cmds\u003e|\r\n000000f0 0a 3c 70 6c 67 5f 64 61 74 61 3e 0a 3c 64 64 6f |.\u003cplg_data\u003e.\u003cddo|\r\n00000100 73 3e 3c 74 63 70 5f 73 69 7a 65 3e 31 30 30 30 |s\u003e\u003ctcp_size\u003e1000|\r\n00000110 3c 2f 74 63 70 5f 73 69 7a 65 3e 0d 0a 3c 74 63 |\u003c/tcp_size\u003e..\u003ctc|\r\n00000120 70 5f 66 72 65 71 3e 35 30 3c 2f 74 63 70 5f 66 |p_freq\u003e50\u003c/tcp_f|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 8 of 31\n\n00000130 72 65 71 3e 0d 0a 3c 74 63 70 5f 74 68 72 65 61 |req\u003e..\u003ctcp_threa|\r\n00000140 64 73 3e 35 3c 2f 74 63 70 5f 74 68 72 65 61 64 |ds\u003e5\u003c/tcp_thread|\r\n00000150 73 3e 0d 0a 3c 75 64 70 5f 73 69 7a 65 3e 31 30 |s\u003e..\u003cudp_size\u003e10|\r\n00000160 30 30 3c 2f 75 64 70 5f 73 69 7a 65 3e 0d 0a 3c |00\u003c/udp_size\u003e..\u003c|\r\n00000170 75 64 70 5f 66 72 65 71 3e 35 30 3c 2f 75 64 70 |udp_freq\u003e50\u003c/udp|\r\n00000180 5f 66 72 65 71 3e 0d 0a 3c 75 64 70 5f 74 68 72 |_freq\u003e..\u003cudp_thr|\r\n00000190 65 61 64 73 3e 35 3c 2f 75 64 70 5f 74 68 72 65 |eads\u003e5\u003c/udp_thre|\r\n000001a0 61 64 73 3e 0d 0a 3c 69 63 6d 70 5f 73 69 7a 65 |ads\u003e..\u003cicmp_size|\r\n000001b0 3e 31 30 30 30 3c 2f 69 63 6d 70 5f 73 69 7a 65 |\u003e1000\u003c/icmp_size|\r\n000001c0 3e 0d 0a 3c 69 63 6d 70 5f 66 72 65 71 3e 35 30 |\u003e..\u003cicmp_freq\u003e50|\r\n000001d0 3c 2f 69 63 6d 70 5f 66 72 65 71 3e 0d 0a 3c 69 |\u003c/icmp_freq\u003e..\u003ci|\r\n000001e0 63 6d 70 5f 74 68 72 65 61 64 73 3e 35 3c 2f 69 |cmp_threads\u003e5\u003c/i|\r\n000001f0 63 6d 70 5f 74 68 72 65 61 64 73 3e 0d 0a 3c 68 |cmp_threads\u003e..\u003ch|\r\n00000200 74 74 70 5f 66 72 65 71 3e 43 54 51 3c 2f 68 74 |ttp_freq\u003eCTQ\u003c/ht|\r\n00000210 74 70 5f 66 72 65 71 3e 0d 0a 3c 68 74 74 70 5f |tp_freq\u003e..\u003chttp_|\r\n00000220 74 68 72 65 61 64 73 3e 35 3c 2f 68 74 74 70 5f |threads\u003e5\u003c/http_|\r\n00000230 74 68 72 65 61 64 73 3e 3c 2f 64 64 6f 73 3e 0a |threads\u003e\u003c/ddos\u003e.|\r\n00000240 3c 68 74 74 70 3e 3c 68 74 74 70 5f 66 72 65 71 |\u003chttp\u003e\u003chttp_freq|\r\n00000250 3e 33 30 3c 2f 68 74 74 70 5f 66 72 65 71 3e 0d |\u003e30\u003c/http_freq\u003e.|\r\n00000260 0a 3c 68 74 74 70 5f 74 68 72 65 61 64 73 3e 32 |.\u003chttp_threads\u003e2|\r\n00000270 3c 2f 68 74 74 70 5f 74 68 72 65 61 64 73 3e 3c |\u003c/http_threads\u003e\u003c|\r\n00000280 2f 68 74 74 70 3e 0a 3c 73 79 6e 3e 3c 73 79 6e |/http\u003e.\u003csyn\u003e\u003csyn|\r\n00000290 5f 66 72 65 71 3e 32 30 3c 2f 73 79 6e 5f 66 72 |_freq\u003e20\u003c/syn_fr|\r\n000002a0 65 71 3e 0d 0a 3c 73 79 6e 5f 74 68 72 65 61 64 |eq\u003e..\u003csyn_thread|\r\n000002b0 73 3e 33 3c 2f 73 79 6e 5f 74 68 72 65 61 64 73 |s\u003e3\u003c/syn_threads|\r\n000002c0 3e 3c 2f 73 79 6e 3e 0a 3c 2f 70 6c 67 5f 64 61 |\u003e\u003c/syn\u003e.\u003c/plg_da|\r\n000002d0 74 61 3e 0a 3c 73 6c 65 65 70 66 72 65 71 3e 39 |ta\u003e.\u003csleepfreq\u003e9|\r\n000002e0 30 30 3c 2f 73 6c 65 65 70 66 72 65 71 3e 0a 3c |00\u003c/sleepfreq\u003e.\u003c|\r\n000002f0 69 70 3e 31 32 38 2e 31 33 30 2e 35 36 2e 32 32 |ip\u003e128.130.56.22|\r\n00000300 3c 2f 69 70 3e 0a 3c 2f 62 6b 65 72 6e 65 6c 3e |\u003c/ip\u003e.\u003c/bkernel\u003e|\r\n00000310 0a |.|\r\n00000311\r\nUnknown Bits\r\nThere’s still a chunk of noise near the beginning.\r\nFrom what we can see, there must be a “ \u003c/plugin\u003e ” tag, and an opening or closing “ name ” tag, somewhere in the noise.\r\nIs there anything in the other combinations of files? So… the answer is no, not really, all three combinations of these files\r\nhave\r\nidentical noise between offsets 0x40 and 0x70 , and unique noise from 0x80 to 0xd0 .\r\nSo whatever is between 0x40 and 0x70 is common to all these EXEs.\r\n00000040 6f 72 df 30 0a 88 7f a8 53 cb 68 23 a3 1f 65 54 |or.0....S.h#..eT|\r\n00000050 46 05 45 02 01 06 08 1c 5f 67 1c 4c 11 02 1b 08 |F.E....._g.L....|\r\n00000060 1d 4e 5c 6f 1c 02 19 1b 47 00 00 1e 4e 73 3d 41 |.N\\o....G...Ns=A|\r\n00000070 00 0a 5a 0d 5a 79 7d 36 0b 6e 61 6d 65 3e 0a 3c |..Z.Zy}6.name\u003e.\u003c|\r\n00000080 9b db b5 e7 c0 b0 c7 f9 98 e3 86 b1 cc ad da ae |................|\r\n00000090 c3 bd 98 cd 96 f0 d9 ab d9 b4 9f a9 96 d5 95 b7 |................|\r\n000000a0 c0 a6 93 ae c5 e1 a3 fb 44 b6 9b a2 96 ac d0 a9 |........D.......|\r\n000000b0 16 f8 9a a6 c3 ba 97 cd 95 a9 cd b5 c9 b6 c6 a9 |................|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 9 of 31\n\n000000c0 92 e2 f5 e8 da ba db b4 c5 bc 9b f9 a2 e3 86 b7 |................|\r\n000000d0 c0 a6 94 ae c6 e1 a3 fb 7d 19 0f 1d ce b6 c7 b4 |........}.......|\r\nFixup the EXE\r\nSo, let’s extract as much of the keystream as we have now, and take a look at the syn.exe file…\r\nperl xor3.pl xml.crypt demo demo.keystream\r\nperl xor3.pl syn.crypt demo.keystream demo.syn\r\nhexdump -C demo.syn\r\n00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|\r\n00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|\r\n00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 |................|\r\n00000040 0e 1f ba 0e 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n000000d0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 |................|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\n000000f0 79 42 b3 48 00 00 00 00 00 00 00 00 e0 00 0e 21 |yB.H...........!|\r\n00000100 0b 01 07 0a 00 0e 00 00 00 3a 00 00 00 00 00 00 |.........:......|\r\n00000110 ac 10 00 00 00 10 00 00 00 20 00 00 00 00 00 10 |......... ......|\r\n00000120 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 |................|\r\n00000130 04 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 |.........p......|\r\n00000140 00 00 00 00 02 00 00 04 00 00 10 00 00 10 00 00 |................|\r\n00000150 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 |................|\r\n00000160 10 26 00 00 62 00 00 00 08 22 00 00 b4 00 00 00 |.\u0026..b....\"......|\r\n00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000180 00 00 00 00 00 00 00 00 00 60 00 00 bc 00 00 00 |.........`......|\r\n00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n000001c0 00 20 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 |. ..............|\r\n000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001e0 2e 74 65 78 74 00 00 00 00 0d 00 00 00 10 00 00 |.text...........|\r\n000001f0 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000200 00 00 00 00 20 00 00 60 2e 00 00 00 74 61 00 00 |.... ..`....ta..|\r\n00000210 72 06 00 00 00 20 00 00 00 08 00 00 00 12 00 00 |r.... ..........|\r\n00000220 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 |............@..@|\r\n00000230 2e 64 61 74 61 00 00 00 70 2e 00 00 00 30 00 00 |.data...p....0..|\r\n00000240 00 26 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 |.\u0026..............|\r\n00000250 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 |....@....reloc..|\r\n00000260 4c 01 00 00 00 60 00 00 00 02 00 00 00 40 00 00 |L....`.......@..|\r\n00000270 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 |............@..B|\r\n00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000310 00 |.|\r\n00000311\r\nWell this is encouraging…\r\nThe section header names all look pretty standard, so\r\n“ .\\x00\\x00\\x00ta ” is probably “ .rdata ” or “ .idata ” (maybe even pdata )\r\nThis corresponds with the mystery argument to “ http_freq ” in the config file.\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 10 of 31\n\n00000200 74 74 70 5f 66 72 65 71 3e 43 54 51 3c 2f 68 74 |ttp_freq\u003eCTQ\u003c/ht|\r\n00000200 00 00 00 00 20 00 00 60 2e 00 00 00 74 61 00 00 |.... ..`....ta..|\r\nXOR “ CTQ ” by “ ida ” and you get “ *00 “\r\nXOR “ CTQ ” by “ rda ” and you get “ 100 “\r\nXOR “ CTQ ” by “ pda ” and you get “ 300 “\r\nBut, just like with the config file above; We can XOR it against the other EXEs\r\nhttp.crypt ⊕ syn.crypt\r\n00000200 00 0e 00 00 20 04 00 60 2e 72 64 61 74 61 00 00 |.... ...rdata..|\r\n00000210 72 06 00 00 20 20 00 60 2e 7a 64 61 74 73 00 00 |r... ..zdats..|\r\nThe answer is ‘ rdata ‘.\r\nYou can also edit this EXE in your favorite 8-bit clean text editor, or your favorite hex editor if you’re not a massochist.\r\nDOS Header\r\nThe “ PE\\x00\\x00 ” header is at offset 0xE8 and so the DWORD at 0x3C is correct.\r\nFor review, this is the structure of a DOS EXE header:\r\n typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header\r\nUSHORT e_magic; // Magic number\r\nUSHORT e_cblp; // Bytes on last page of file\r\nUSHORT e_cp; // Pages in file\r\nUSHORT e_crlc; // Relocations\r\nUSHORT e_cparhdr; // Size of header in paragraphs\r\nUSHORT e_minalloc; // Minimum extra paragraphs needed\r\nUSHORT e_maxalloc; // Maximum extra paragraphs needed\r\nUSHORT e_ss; // Initial (relative) SS value\r\nUSHORT e_sp; // Initial SP value\r\nUSHORT e_csum; // Checksum\r\nUSHORT e_ip; // Initial IP value\r\nUSHORT e_cs; // Initial (relative) CS value\r\nUSHORT e_lfarlc; // File address of relocation table\r\nUSHORT e_ovno; // Overlay number\r\nUSHORT e_res[4]; // Reserved words\r\nUSHORT e_oemid; // OEM identifier (for e_oeminfo)\r\nUSHORT e_oeminfo; // OEM information; e_oemid specific\r\nUSHORT e_res2[10]; // Reserved words\r\nLONG e_lfanew; // File address of new exe header\r\n} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;\r\n... followed immediately by the stub program.\r\nhttp://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html (or www.skynet.ie)\r\nThe usual stuff http://msdn.microsoft.com/en-us/magazine/cc301805.aspx\r\nSince everything is a WORD, let’s alter our hexdump slightly:\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 11 of 31\n\n0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000 e_magic; e_cblp; e_cp; e_crlc; e_cparhdr; e_minalloc; e_maxalloc; e\r\n0000010 00b8 0000 0000 0000 0040 0000 0000 0000 e_sp; e_csum; e_ip; e_cs; e_lfarlc; e_ovno; e_res e_\r\n0000020 0000 0000 0000 0000 0000 0000 0000 0000 e_res e_res e_oemid; e_oeminfo; e_res2 e_res2 e_res2 e_\r\n0000030 0000 0000 0000 0000 0000 0000 00e8 0000 e_res2 e_res2 e_res2 e_res2 e_res2 e_res2 e_lfanew..e_lfa\r\n0000040 1f0e 0eba 0000 0000 0000 0000 0000 0000\r\n0000050 0000 0000 0000 0000 0000 0000 0000 0000\r\nAnd make it a bit easier to read just for this blog post:\r\nOffset Name Value\r\n0x00 Signature e_magic 0x5a4d “MZ”\r\n0x02 Byte on Last Page e_cblp 0x0090 144.0 bytes\r\n0x04 Page Count e_cp 0x0003 3.0 pages\r\n0x06 Relocations Count c_crlc 0x0000 0.0\r\n0x08 Header Size e_cparhdr 0x0004\r\n4.0\r\nparagraphs\r\n0x0A Minimum Memory e_minalloc 0x0000 0.0 bytes\r\n0x0C Maximum Memory e_maxalloc 0xffff 65535.0 bytes\r\n0x0E SS : SP e_ss..e_sp 0x0000 0x00b8 0000:00B8h\r\n0x12 Checksum e_csum 0x0000 0.0\r\n0x14 CS : IP e_ip..e_cs 0x0000 0x0000 0000:0000h\r\n0x18 Relocation Table Offset e_lfarlc 0x0040 0×40 bytes\r\n0x1A Overlay Number e_ovno 0x0000\r\n(Entry Point) (00000040h)\r\n0x1C Reserved e_res..e_res\r\n0x0000 0x0000 0x0000\r\n0x0000\r\n0.0\r\n0x24\r\nModule Length/OEM\r\nIdentifier\r\ne_oemid 0x0000 0.0\r\n0x26\r\nImage Offset/OEM\r\nInformation\r\ne_oeminfo 0x0000 0.0\r\n0x28 Reserved e_res2..e_res2 0x0000 times 10 0.0\r\n0x3C New EXE [PE] Header Offset e_lfanew..e_lfanew 0x00e8 0x0000 000000E8h\r\nSo let’s assume for the moment, that offsets 0x00 thru 0x3F are correct, as they look correct in the recovered XML file.\r\nEverything from 0xD7 to the end looks mostly correct too, since this is mostly a PE header, it should be possible to sanity\r\ncheck this later.\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 12 of 31\n\nThe PE headers between the http.exe and syn.exe are shifted by ( 0x10 ) 16 bytes, so…\r\nsyn.exe is the one 0x10 bytes ahead. (The top lines of each pair.)\r\n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |................|\r\n00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000080 8a d1 0b 61 8a d1 0b 61 8a d1 0b 61 8a d1 0b 61 |...a...a...a...a|\r\n00000090 8a d1 59 61 8b d1 0b 61 4c d2 09 61 89 d1 0b 61 |..Ya...aL..a...a|\r\n000000a0 9c d5 0b 61 8a d1 0b 61 8a d1 09 61 80 d1 0b 61 |...a...a...a...a|\r\n000000b0 09 d9 57 61 ab d1 0b 61 8f dd 6a 61 9e d1 0b 61 |..Wa...a..ja...a|\r\n000000c0 8a d1 37 61 8e d1 0b 61 8a d1 0d 61 8a d1 0b 61 |..7a...a...a...a|\r\n000000d0 fe ba 90 af 8b d1 0b 61 52 69 63 68 a9 df a9 c7 |.......aRich....|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\n000000f0 79 42 b3 48 00 00 00 00 50 45 00 00 ac 01 0a 21 |yB.H....PE.....!|\r\n00000100 9e 27 a1 42 00 0e 00 00 00 3a 00 00 e0 00 0e 21 |.'.B.....:.....!|\r\n00000110 a7 11 07 0a 00 1e 00 00 00 30 00 00 00 00 00 10 |.........0......|\r\n00000120 41 00 00 00 00 12 00 00 04 20 00 00 00 00 00 10 |A........ ......|\r\n00000130 04 10 00 00 00 02 00 00 04 70 00 00 00 04 00 00 |.........p......|\r\n00000140 04 00 00 00 02 00 00 04 00 50 10 00 00 14 00 00 |.........P......|\r\n00000150 00 00 10 00 02 10 00 04 00 00 10 00 10 10 00 00 |................|\r\n00000160 10 26 10 00 62 10 00 00 08 22 00 00 a4 00 00 00 |.\u0026..b....\"......|\r\n00000170 10 23 00 00 63 00 00 00 00 21 00 00 64 00 00 00 |.#..c....!..d...|\r\n00000180 00 00 00 00 00 00 00 00 00 60 00 00 bc 00 00 00 |.........`......|\r\n00000190 00 00 00 00 00 00 00 00 00 40 00 00 20 01 00 00 |.........@.. ...|\r\n000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n000001c0 00 20 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 |. ..............|\r\n000001d0 00 20 00 00 5c 00 00 00 00 00 00 00 00 00 00 00 |. ..\\...........|\r\n000001e0 2e 74 65 78 74 00 00 00 00 0d 00 00 00 10 00 00 |.text...........|\r\n000001f0 2e 7a 65 78 74 04 00 00 dd 0d 00 00 00 10 00 00 |.zext...........|\r\n00000200 00 0e 00 00 20 04 00 60 2e 72 64 61 74 61 00 00 |.... ..`.rdata..|\r\n00000210 72 06 00 00 20 20 00 60 2e 7a 64 61 74 73 00 00 |r... .`.zdats..|\r\n00000220 73 03 00 00 00 20 00 00 00 04 00 00 40 12 00 40 |s.... ......@..@|\r\n00000230 2e 64 61 74 61 00 00 00 70 2e 00 00 40 30 00 40 |.data...p...@0.@|\r\n00000240 2e 42 61 74 61 1a 00 00 f0 09 00 00 00 30 00 00 |.Bata........0..|\r\n00000250 00 02 00 00 40 16 00 c0 2e 72 65 6c 6f 63 00 00 |....@....reloc..|\r\n00000260 4c 01 00 00 40 60 00 c0 2e 70 65 6c 6f 23 00 00 |L...@`...pelo#..|\r\n00000270 86 01 00 00 00 40 00 00 00 02 00 00 40 18 00 42 |.....@......@..B|\r\n00000280 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 |............@..B|\r\n00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\nBytes between 0×40 and 0x7F are the same in all files, however,\r\n1. If our XML was right, the first four bytes are 0e 1f ba 0e\r\n00000040 0e 1f ba 0e 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n2. These are fairly standard EXE headers, and these 0x40 bytes come right after the DOS EXE header… The entry\r\npoint of this DOS executable is located at offset 0x40 too.\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 13 of 31\n\nSo what usually follows the DOS EXE header, and is 0x40 bytes long?\r\nhttp://www.google.com/search?q=dos+exe+stub\r\n00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|\r\n00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|\r\n00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |\r\n00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|\r\n00000040 0E push cs\r\n00000041 1F pop ds\r\n00000042 BA0E00 mov dx,0xe ; string offset \"This program…\"\r\n00000045 B409 mov ah,0x9\r\n00000047 CD21 int 0x21 ; print\r\n00000049 B8014C mov ax,0x4c01\r\n0000004C CD21 int 0x21 ; exit\r\n0000004E db \"This program cannot be run in DOS mode.\\r\\r\\n$\",0\r\nThere are several variations on the DOS stub. This is one of the more likely ones, as it’s the default Microsoft one.\r\nAlso note where the Nulls match up with the config file:\r\n00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|\r\n00000070 00 0a 5a 0d 5a 79 7d 36 0b 6e 61 6d 65 3e 0a 3c |..Z.Zy}6.name\u003e.\u003c|\r\nSo, let’s XOR the stub (from 0x45 to 0x78 ) with the config file:\r\n00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |\u003c?xml version=\"1|\r\n00000010 2e 30 22 3f 3e 0a 3c 62 6b 65 72 6e 65 6c 3e 0a |.0\"?\u003e.\u003cbkernel\u003e.|\r\n00000020 3c 70 6c 75 67 69 6e 73 3e 0a 3c 70 6c 75 67 69 |\u003cplugins\u003e.\u003cplugi|\r\n00000030 6e 3e 0a 3c 6e 61 6d 65 3e 64 64 6f 73 3c 2f 6e |n\u003e.\u003cname\u003eddos\u003c/n|\r\n00000040 61 6d 65 3e 0a 3c 76 65 72 73 69 6f 6e 3e 31 3c |ame\u003e.\u003cversion\u003e1\u003c|\r\n00000050 2f 76 65 72 73 69 6f 6e 3e 0a 3c 2f 70 6c 75 67 |/version\u003e.\u003c/plug|\r\n00000060 69 6e 3e 0a 3c 70 6c 75 67 69 6e 3e 0a 3c 6e 61 |in\u003e.\u003cplugin\u003e.\u003cna|\r\n00000070 6d 65 3e 68 74 74 70 3c 2f 6e 61 6d 65 3e 0a 3c |me\u003ehttp\u003c/name\u003e.\u003c|\r\n00000080 11 0a be 86 4a 61 cc 98 12 32 8d d0 46 7c d1 cf |....Ja...2..F|..|\r\n00000090 49 6c c1 ac 1d 21 d2 ca 95 66 96 c8 1f 04 9e d6 |Il...!...f......|\r\n000000a0 5c 73 98 cf 4f 30 a8 9a ce 67 92 c3 16 7d db c8 |\\s..O0...g...}..|\r\n000000b0 1f 21 cd c7 68 6b 9c ac 1a 74 a7 d4 57 67 cd c8 |.!..hk...t..Wg..|\r\n000000c0 18 33 c2 89 54 6b d0 d5 4f 6d 96 98 28 32 8d d6 |.3..Tk..Om..(2..|\r\n000000d0 3e 1c 04 01 4d 30 a8 3c 2f 70 6c 75 67 69 6e 73 |\u003e...M0.\u003c/plugins|\r\n000000e0 3e 0a 3c 63 6d 64 73 3e 0a 3c 2f 63 6d 64 73 3e |\u003e.\u003ccmds\u003e.\u003c/cmds\u003e|\r\n000000f0 0a 3c 70 6c 67 5f 64 61 74 61 3e 0a 3c 64 64 6f |.\u003cplg_data\u003e.\u003cddo|\r\n00000100 73 3e 3c 74 63 70 5f 73 69 7a 65 3e 31 30 30 30 |s\u003e\u003ctcp_size\u003e1000|\r\nThere are those missing XML tags. It would not be unreasonable to guess that in that noise is also a “ \u003cname\u003eddos\u003c/name\u003e ”\r\nand “ \u003cname\u003esyn\u003c/name\u003e ”\r\nAlmost there, now there’s just the bytes between 0x80 and 0xD7 left to go.\r\nperl /home/jwolf/xor3.pl xml.crypt demo2 demo2.keystream\r\nDEBUG: xml.crypt ^ demo2 -\u003e demo2.keystream\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 14 of 31\n\nperl /home/jwolf/xor3.pl syn.crypt demo2.keystream demo2.syn\r\nDEBUG: syn.crypt ^ demo2.keystream -\u003e demo2.syn\r\nRich Header\r\nSo, what about the bytes between 0x80 and 0xD7 ? In recent versions of Visual C++ (2003 and onwards I think), the\r\nlinker has been\r\nputting an extra chunk into the EXE headers between the DOS stub, and the PE headers. The “ Rich ” in the\r\nhttp.exe⊕syn.exe dump above rather gives it away.\r\nUsing a time machine to skip to the end of this blog post, these are the decrypted headers from the “ syn.exe ” file. I’ll be\r\nusing it for the examples below.\r\n00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|\r\n00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|\r\n00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |\r\n00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|\r\n00000080 67 6f cc f5 23 0e a2 a6 23 0e a2 a6 23 0e a2 a6 |go..#...#...#...|\r\n00000090 26 02 ff a6 21 0e a2 a6 e0 01 ff a6 21 0e a2 a6 |\u0026...!.......!...|\r\n000000a0 30 06 ff a6 21 0e a2 a6 a0 06 ff a6 28 0e a2 a6 |0...!.......(...|\r\n000000b0 23 0e a3 a6 05 0e a2 a6 26 02 c2 a6 24 0e a2 a6 |#.......\u0026...$...|\r\n000000c0 26 02 fe a6 22 0e a2 a6 26 02 f8 a6 22 0e a2 a6 |\u0026...\"...\u0026...\"...|\r\n000000d0 52 69 63 68 23 0e a2 a6 00 00 00 00 00 00 00 00 |Rich#...........|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\nNote how the NULL s lined up:\r\n000000d0 52 69 63 68 23 0e a2 a6 00 00 00 00 00 00 00 00 |Rich#...........| future decrypted syn.exe\r\n000000d0 ac d3 f3 c7 a8 df a9 c7 52 69 63 68 a9 df a9 c7 |........Rich....| future decrypted http.exe\r\n000000d0 fe ba 90 af 8b d1 0b 61 52 69 63 68 a9 df a9 c7 |.......aRich....| syn.exe⊕http.exe\r\nRich Header Structure\r\nA hash is calculated by adding together each byte of the EXE file up to the beginning of the Rich header, with each byte\r\nbeing shifted left by the number of bits that is its file offset. Take a look at the code below if that doesn’t make sense. For the\r\n“ syn.exe ” file, the 0x80 bytes of the DOS header and stub come out to 0x884f3421 .\r\nThis partial total, then has each DWORD of the list inside the (unencrypted) Rich header, shifted left by the other DWORD\r\nwritten after it (though it always seems to be under a byte in length. Values over 32 don’t make sense.) This number — the\r\nfinal total — is the hash.\r\nThe first 16 bytes of the header are this hash XOR ‘d with this string:\r\n00000080 44 61 6e 53 00 00 00 00 00 00 00 00 00 00 00 00 |DanS............|\r\nUsing the “ syn.exe ” file again as an example, the hash total has was 0xa6a20e23 When XOR ‘d by this value, those 16\r\nbytes become:\r\n00000080 67 6f cc f5 23 0e a2 a6 23 0e a2 a6 23 0e a2 a6 |go..#...#...#...|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 15 of 31\n\nThen the version number of each library used in compiling and linking this EXE are written as DWORDs followed by the\r\nshift used for the earlier hash calculation. This section will always be a multiple of eight bytes in length. For example:\r\n Version Shift Version Shift\r\n00000090 05 0c 5d 00 02 00 00 00 c3 0f 5d 00 02 00 00 00 |..].......].....|\r\n000000a0 13 08 5d 00 02 00 00 00 83 08 5d 00 0b 00 00 00 |..].......].....|\r\n000000b0 00 00 01 00 26 00 00 00 05 0c 60 00 07 00 00 00 |....\u0026.....`.....|\r\n000000c0 05 0c 5c 00 01 00 00 00 05 0c 5a 00 01 00 00 00 |..\\.......Z.....|\r\nThen, at the end of the list, there is the constant value \"Rich\" ( 0x68636952 ), followed by the hash, and then there is ei\r\n Hash sixteen bytes of padding\r\n000000d0 52 69 63 68 23 0e a2 a6 00 00 00 00 00 00 00 00 |Rich#...........|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\nSomething to take note of is the large number of NULL s in this structure, if you're going to be using this structure to\r\n00000080 44 61 6e 53 00 00 00 00 00 00 00 00 00 00 00 00 |DanS............|\r\n00000090 05 0c 5d 00 02 00 00 00 c3 0f 5d 00 02 00 00 00 |..].......].....|\r\n000000a0 13 08 5d 00 02 00 00 00 83 08 5d 00 0b 00 00 00 |..].......].....|\r\n000000b0 00 00 01 00 26 00 00 00 05 0c 60 00 07 00 00 00 |....\u0026.....`.....|\r\n000000c0 05 0c 5c 00 01 00 00 00 05 0c 5a 00 01 00 00 00 |..\\.......Z.....|\r\n@comp.id\r\nNobody (publicly) knows exactly what is in the @comp.id . The low 16 bits is quite clearly the build number in the version\r\nI put together a short table of all the @comp.id 's that I could find in an hour or two. Please add to it. It's in Append\r\nBack to the present\r\nLet's pretend that you didn't know the hash.\r\nIt apparently ends with 0xA6 [the most significant byte], from what's already known of the keystream, vis:\r\n000000d0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 |................|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 16 of 31\n\nAnd we can XOR the \"Syn\" EXE with the \"Http\" EXE. The RICH headers of one are 8 bytes longer than the other. We also know\r\n00000080 8a d1 0b 61 8a d1 0b 61 8a d1 0b 61 8a d1 0b 61 |...a...a...a...a|\r\n00000090 8a d1 59 61 8b d1 0b 61 4c d2 09 61 89 d1 0b 61 |..Ya...aL..a...a|\r\n000000a0 9c d5 0b 61 8a d1 0b 61 8a d1 09 61 80 d1 0b 61 |...a...a...a...a|\r\n000000b0 09 d9 57 61 ab d1 0b 61 8f dd 6a 61 9e d1 0b 61 |..Wa...a..ja...a|\r\n000000c0 8a d1 37 61 8e d1 0b 61 8a d1 0d 61 8a d1 0b 61 |..7a...a...a...a|\r\n000000d0 fe ba 90 af 8b d1 0b 61 52 69 63 68 a9 df a9 c7 |.......aRich....|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...|\r\nWe can also see a visible \"Rich\" header above — from the \"Http\" EXE. If the \"Syn\" EXE didn't have anything at that same of\r\nSo, 0x610BD18A XOR 0xC7A9DFA9 = 0xA6A20E23 , which is ultimately the correct hash for the \"Syn\" EXE.\r\nAlternatively\r\nSince this is how I actually did it the first time, without knowing as much as I do now about the Rich header, and I want\r\nI XOR 'd the two hashes which come right after the \"Rich\".\r\n000000d0 fe ba 90 af 8b d1 0b 61 52 69 63 68 a9 df a9 c7 |.......aRich....|\r\nThat's 8b d1 0b 61 XOR a9 df a9 c7 = 22 0e a2 a6 (0xA6A20E22) , which is off by one — the one bit being an occurrence count of\r\nSo, I XOR 'd 0xA6A20E22 with the XML data between offsets 0x80 and 0xd7, and look! Almost done!\r\n00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |\u003c?xml version=\"1|\r\n00000010 2e 30 22 3f 3e 0a 3c 62 6b 65 72 6e 65 6c 3e 0a |.0\"?\u003e.\u003cbkernel\u003e.|\r\n00000020 3c 70 6c 75 67 69 6e 73 3e 0a 3c 70 6c 75 67 69 |\u003cplugins\u003e.\u003cplugi|\r\n00000030 6e 3e 0a 3c 6e 61 6d 65 3e 64 64 6f 73 3c 2f 6e |n\u003e.\u003cname\u003eddos\u003c/n|\r\n00000040 61 6d 65 3e 0a 3c 76 65 72 73 69 6f 6e 3e 31 3c |ame\u003e.\u003cversion\u003e1\u003c|\r\n00000050 2f 76 65 72 73 69 6f 6e 3e 0a 3c 2f 70 6c 75 67 |/version\u003e.\u003c/plug|\r\n00000060 69 6e 3e 0a 3c 70 6c 75 67 69 6e 3e 0a 3c 6e 61 |in\u003e.\u003cplugin\u003e.\u003cna|\r\n00000070 6d 65 3e 68 74 74 70 3c 2f 6e 61 6d 65 3e 0a 3c |me\u003ehttp\u003c/name\u003e.\u003c|\r\n00000080 33 04 1c 20 68 6f 6e 3e 30 3c 2f 76 64 72 73 69 |3.. hon\u003e0\u003c/vdrsi|\r\n00000090 6b 62 63 0a 3f 2f 70 6c b7 68 34 6e 3d 0a 3c 70 |kbc.?/pl.h4n=.\u003cp|\r\n000000a0 7e 7d 3a 69 6d 3e 0a 3c ec 69 30 65 34 73 79 6e |~}:im\u003e.\u003c.i0e4syn|\r\n000000b0 3d 2f 6f 61 4a 65 3e 0a 38 7a 05 72 75 69 6f 6e |=/oaJe\u003e.8z.ruion|\r\n000000c0 3a 3d 60 2f 76 65 72 73 6d 63 34 3e 0a 3c 2f 70 |:=`/versmc4\u003e.\u003c/p|\r\n000000d0 1c 12 a6 a7 6f 3e 0a 9a 2f 70 6c 75 67 69 6e 73 |....o\u003e../plugins|\r\n000000e0 3e 0a 3c 63 6d 64 73 3e 0a 3c 2f 63 6d 64 73 3e |\u003e.\u003ccmds\u003e.\u003c/cmds\u003e|\r\n000000f0 0a 3c 70 6c 67 5f 64 61 74 61 3e 0a 3c 64 64 6f |.\u003cplg_data\u003e.\u003cddo|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 17 of 31\n\n00000100 73 3e 3c 74 63 70 5f 73 69 7a 65 3e 31 30 30 30 |s\u003e\u003ctcp_size\u003e1000|\r\n00000110 3c 2f 74 63 70 5f 73 69 7a 65 3e 0d 0a 3c 74 63 |\u003c/tcp_size\u003e..\u003ctc|\r\nNote\r\nAlthough not used here, don't forget you can XOR out the \"Rich\" and \"DanS\" DWORDS where appropriate.\r\nFixing the last chunk of XML\r\nSo pull this back up in a text editor and make another correction pass over it. Since half the DWORDS are less than 0x0000\r\nI'm doing these example with the XOR hash that's slightly off. Since I already wrote up all the hexdumps and correction\r\n00000080 33 04 1c 20 68 6f 6e 3e 30 3c 2f 76 64 72 73 69 |3.. hon\u003e0\u003c/vdrsi|\r\n00000090 6b 62 63 0a 3f 2f 70 6c b7 68 34 6e 3d 0a 3c 70 |kbc.?/pl.h4n=.\u003cp|\r\n\" \u003c3\\x04\\x1c hon\u003e0\u003c/vdrsikbc\\x0A \" I believe looks like:\r\n\" \u003cversion\u003e0\u003c/version\u003e\\x0A \"\r\nThe the next byte is garbled, but \" /pl \" should be correct, and the next three garbled, but \" n \" and then \" \\x0A\u003c\r\nThis is probably the closing \"plugin\" tag.\r\n\" ?/pl\\xB7h4n=\\x0A\u003cp \" becomes \" \u003c/plugin\u003e\\x0A\u003cp \"\r\n\" \u003cp~}:im\u003e\\x0A\u003c\" the \"~}: \" is wrong, the \" i \" should be correct, and the \" m \" wrong, while \" \u003e\\x0A\u003c \" is correct.\r\nI'm going to guess this also says \"plugin\"\r\n\" \u003cplugin\u003e\\x0A\u003c \"\r\n000000a0 7e 7d 3a 69 6d 3e 0a 3c ec 69 30 65 34 73 79 6e |~}:im\u003e.\u003c.i0e4syn|\r\n000000b0 3d 2f 6f 61 4a 65 3e 0a 38 7a 05 72 75 69 6f 6e |=/oaJe\u003e.8z.ruion|\r\n000000c0 3a 3d 60 2f 76 65 72 73 6d 63 34 3e 0a 3c 2f 70 |:=`/versmc4\u003e.\u003c/p|\r\n000000d0 1c 12 a6 a7 6f 3e 0a 9a 2f 70 6c 75 67 69 6e 73 |....o\u003e../plugins|\r\n\" \u003c\\xECi0e4syn \" the \" \\xECi0 \" part is garbled, the \" e \" is correct, the \" 4 \" isn't, and the \" syn \" is correct.\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 18 of 31\n\nConsidering that this is immediately followed by \" =/oaJe\u003e\\x0A \", and looking at the XML tags above. These are proba\r\n\" \u003cname\u003esyn\u003c/name\u003e\\x0A \"\r\n\" 8z\\x05ruion:=`/versmc4\u003e\\x0A \" Well, \" 8z\\x05 \" and \" r \" are wrong, \" r \" and \" ion \" are correct.\r\n\" :=` \" should be wrong, \" / \" correct, \" v \" wrong, and \" ers \" correct, \" mc4 \" wrong, \" \u003e \" correct, \" \\x0a \" wro\r\nIt's probably version, considering the XML pattern from above.\r\nSo, corrected: \" \u003cversion\u003e=\u003c/version\u003e \" (Probably not \"Version =\" but rather a number, I'll deal with it later.)\r\n000000d0 1c 12 a6 a7 6f 3e 0a 9a 2f 70 6c 75 67 69 6e 73 |....o\u003e../plugins|\r\n\" \u003c/p\\x1c\\x12\\xa6\\xa7o\u003e\\x0AZ/plugins\u003e \" This is obviously the closing \"plugin\" tag.\r\n\" \u003c/plugin\u003e\\x0A\u003c/plugins\u003e \"\r\nSo, this looks almost totally correct, except for those version numbers. We can XOR this back against the original ciphert\r\nverify correctness of the EXE.\r\nFinal Pass\r\nReview\r\n00000000 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 |\u003c?xml version=\"1|\r\n00000010 2e 30 22 3f 3e 0a 3c 62 6b 65 72 6e 65 6c 3e 0a |.0\"?\u003e.\u003cbkernel\u003e.|\r\n00000020 3c 70 6c 75 67 69 6e 73 3e 0a 3c 70 6c 75 67 69 |\u003cplugins\u003e.\u003cplugi|\r\n00000030 6e 3e 0a 3c 6e 61 6d 65 3e 64 64 6f 73 3c 2f 6e |n\u003e.\u003cname\u003eddos\u003c/n|\r\n00000040 61 6d 65 3e 0a 3c 76 65 72 73 69 6f 6e 3e 31 3c |ame\u003e.\u003cversion\u003e1\u003c|\r\n00000050 2f 76 65 72 73 69 6f 6e 3e 0a 3c 2f 70 6c 75 67 |/version\u003e.\u003c/plug|\r\n00000060 69 6e 3e 0a 3c 70 6c 75 67 69 6e 3e 0a 3c 6e 61 |in\u003e.\u003cplugin\u003e.\u003cna|\r\n00000070 6d 65 3e 68 74 74 70 3c 2f 6e 61 6d 65 3e 0a 3c |me\u003ehttp\u003c/name\u003e.\u003c|\r\n00000080 76 65 72 73 69 6f 6e 3e 30 3c 2f 76 65 72 73 69 |version\u003e0\u003c/versi|\r\n00000090 6f 6e 3e 0a 3c 2f 70 6c 75 67 69 6e 3e 0a 3c 70 |on\u003e.\u003c/plugin\u003e.\u003cp|\r\n000000a0 6c 75 67 69 6e 3e 0a 3c 6e 61 6d 65 3e 73 79 6e |lugin\u003e.\u003cname\u003esyn|\r\n000000b0 3c 2f 6e 61 6d 65 3e 0a 3c 76 65 72 73 69 6f 6e |\u003c/name\u003e.\u003cversion|\r\n000000c0 3e 3d 3c 2f 76 65 72 73 69 6f 6e 3e 0a 3c 2f 70 |\u003e=\u003c/version\u003e.\u003c/p|\r\n000000d0 6c 75 67 69 6e 3e 0a 3c 2f 70 6c 75 67 69 6e 73 |lugin\u003e.\u003c/plugins|\r\n000000e0 3e 0a 3c 63 6d 64 73 3e 0a 3c 2f 63 6d 64 73 3e |\u003e.\u003ccmds\u003e.\u003c/cmds\u003e|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 19 of 31\n\n000000f0 0a 3c 70 6c 67 5f 64 61 74 61 3e 0a 3c 64 64 6f |.\u003cplg_data\u003e.\u003cddo|\r\n00000100 73 3e 3c 74 63 70 5f 73 69 7a 65 3e 31 30 30 30 |s\u003e\u003ctcp_size\u003e1000|\r\n00000110 3c 2f 74 63 70 5f 73 69 7a 65 3e 0d 0a 3c 74 63 |\u003c/tcp_size\u003e..\u003ctc|\r\n00000120 70 5f 66 72 65 71 3e 35 30 3c 2f 74 63 70 5f 66 |p_freq\u003e50\u003c/tcp_f|\r\n00000130 72 65 71 3e 0d 0a 3c 74 63 70 5f 74 68 72 65 61 |req\u003e..\u003ctcp_threa|\r\n00000140 64 73 3e 35 3c 2f 74 63 70 5f 74 68 72 65 61 64 |ds\u003e5\u003c/tcp_thread|\r\n00000150 73 3e 0d 0a 3c 75 64 70 5f 73 69 7a 65 3e 31 30 |s\u003e..\u003cudp_size\u003e10|\r\n00000160 30 30 3c 2f 75 64 70 5f 73 69 7a 65 3e 0d 0a 3c |00\u003c/udp_size\u003e..\u003c|\r\n00000170 75 64 70 5f 66 72 65 71 3e 35 30 3c 2f 75 64 70 |udp_freq\u003e50\u003c/udp|\r\n00000180 5f 66 72 65 71 3e 0d 0a 3c 75 64 70 5f 74 68 72 |_freq\u003e..\u003cudp_thr|\r\n00000190 65 61 64 73 3e 35 3c 2f 75 64 70 5f 74 68 72 65 |eads\u003e5\u003c/udp_thre|\r\n000001a0 61 64 73 3e 0d 0a 3c 69 63 6d 70 5f 73 69 7a 65 |ads\u003e..\u003cicmp_size|\r\n000001b0 3e 31 30 30 30 3c 2f 69 63 6d 70 5f 73 69 7a 65 |\u003e1000\u003c/icmp_size|\r\n000001c0 3e 0d 0a 3c 69 63 6d 70 5f 66 72 65 71 3e 35 30 |\u003e..\u003cicmp_freq\u003e50|\r\n000001d0 3c 2f 69 63 6d 70 5f 66 72 65 71 3e 0d 0a 3c 69 |\u003c/icmp_freq\u003e..\u003ci|\r\n000001e0 63 6d 70 5f 74 68 72 65 61 64 73 3e 35 3c 2f 69 |cmp_threads\u003e5\u003c/i|\r\n000001f0 63 6d 70 5f 74 68 72 65 61 64 73 3e 0d 0a 3c 68 |cmp_threads\u003e..\u003ch|\r\n00000200 74 74 70 5f 66 72 65 71 3e 31 30 30 3c 2f 68 74 |ttp_freq\u003e100\u003c/ht|\r\n00000210 74 70 5f 66 72 65 71 3e 0d 0a 3c 68 74 74 70 5f |tp_freq\u003e..\u003chttp_|\r\n00000220 74 68 72 65 61 64 73 3e 35 3c 2f 68 74 74 70 5f |threads\u003e5\u003c/http_|\r\n00000230 74 68 72 65 61 64 73 3e 3c 2f 64 64 6f 73 3e 0a |threads\u003e\u003c/ddos\u003e.|\r\n00000240 3c 68 74 74 70 3e 3c 68 74 74 70 5f 66 72 65 71 |\u003chttp\u003e\u003chttp_freq|\r\n00000250 3e 33 30 3c 2f 68 74 74 70 5f 66 72 65 71 3e 0d |\u003e30\u003c/http_freq\u003e.|\r\n00000260 0a 3c 68 74 74 70 5f 74 68 72 65 61 64 73 3e 32 |.\u003chttp_threads\u003e2|\r\n00000270 3c 2f 68 74 74 70 5f 74 68 72 65 61 64 73 3e 3c |\u003c/http_threads\u003e\u003c|\r\n00000280 2f 68 74 74 70 3e 0a 3c 73 79 6e 3e 3c 73 79 6e |/http\u003e.\u003csyn\u003e\u003csyn|\r\n00000290 5f 66 72 65 71 3e 32 30 3c 2f 73 79 6e 5f 66 72 |_freq\u003e20\u003c/syn_fr|\r\n000002a0 65 71 3e 0d 0a 3c 73 79 6e 5f 74 68 72 65 61 64 |eq\u003e..\u003csyn_thread|\r\n000002b0 73 3e 33 3c 2f 73 79 6e 5f 74 68 72 65 61 64 73 |s\u003e3\u003c/syn_threads|\r\n000002c0 3e 3c 2f 73 79 6e 3e 0a 3c 2f 70 6c 67 5f 64 61 |\u003e\u003c/syn\u003e.\u003c/plg_da|\r\n000002d0 74 61 3e 0a 3c 73 6c 65 65 70 66 72 65 71 3e 39 |ta\u003e.\u003csleepfreq\u003e9|\r\n000002e0 30 30 3c 2f 73 6c 65 65 70 66 72 65 71 3e 0a 3c |00\u003c/sleepfreq\u003e.\u003c|\r\n000002f0 69 70 3e 31 32 38 2e 31 33 30 2e 35 36 2e 32 32 |ip\u003e128.130.56.22|\r\n00000300 3c 2f 69 70 3e 0a 3c 2f 62 6b 65 72 6e 65 6c 3e |\u003c/ip\u003e.\u003c/bkernel\u003e|\r\n00000310 0a |.|\r\n00000311\r\n00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............| ; MZ!\r\n00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|\r\n00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 |................|\r\n00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| ; Dos stub\r\n00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|\r\n00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |\r\n00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|\r\n00000080 67 6f cc f5 23 0e a2 a6 22 0e a2 a6 23 0e a2 a6 |go..#...\"...#...| ; oops, still off\r\n00000090 26 02 ff a6 21 0e a2 a6 e0 01 ff a6 21 0e a2 a6 |\u0026...!.......!...|\r\n000000a0 30 06 ff a6 21 0e a2 a6 a0 06 ff a6 28 0e a2 a6 |0...!.......(...|\r\n000000b0 23 0e a3 a6 05 0e a2 a6 26 02 c2 a6 24 0e a2 a6 |#.......\u0026...$...|\r\n000000c0 26 0e fe a6 22 0e a2 a6 26 02 f8 a6 22 0e a2 a6 |\u0026...\"...\u0026...\"...|\r\n000000d0 52 69 63 68 23 0e a2 a6 00 00 00 00 00 00 00 00 |Rich#...........|\r\n000000e0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 |........PE..L...| ; PE Header\r\n000000f0 79 42 b3 48 00 00 00 00 00 00 00 00 e0 00 0e 21 |yB.H...........!|\r\n00000100 0b 01 07 0a 00 0e 00 00 00 3a 00 00 00 00 00 00 |.........:......| ; PE Optional Header\r\n00000110 ac 10 00 00 00 10 00 00 00 20 00 00 00 00 00 10 |......... ......|\r\n00000120 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 |................|\r\n00000130 04 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 |.........p......|\r\n00000140 00 00 00 00 02 00 00 04 00 00 10 00 00 10 00 00 |................|\r\n00000150 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 |................|\r\n00000160 10 26 00 00 62 00 00 00 08 22 00 00 b4 00 00 00 |.\u0026..b....\"......|\r\n00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000180 00 00 00 00 00 00 00 00 00 60 00 00 bc 00 00 00 |.........`......|\r\n00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n000001c0 00 20 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 |. ..............|\r\n000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000001e0 2e 74 65 78 74 00 00 00 00 0d 00 00 00 10 00 00 |.text...........|\r\n000001f0 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 |................|\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 20 of 31\n\n00000200 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 |.... ..`.rdata..|\r\n00000210 72 06 00 00 00 20 00 00 00 08 00 00 00 12 00 00 |r.... ..........|\r\n00000220 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 |............@..@|\r\n00000230 2e 64 61 74 61 00 00 00 70 2e 00 00 00 30 00 00 |.data...p....0..|\r\n00000240 00 26 00 00 00 1a 00 00 00 00 00 00 00 00 00 00 |.\u0026..............|\r\n00000250 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 |....@....reloc..|\r\n00000260 4c 01 00 00 00 60 00 00 00 02 00 00 00 40 00 00 |L....`.......@..|\r\n00000270 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 |............@..B|\r\n00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000310 00 |.|\r\n00000311\r\nFinally...\r\nOk, so we now know the correct value of the mask, since we're confident that the corresponding XML is correct here.\r\n000000d0 52 69 63 68 23 0e a2 a6 00 00 00 00 00 00 00 00 |Rich#...........|\r\n000000d0 6c 75 67 69 6e 3e 0a 3c 2f 70 6c 75 67 69 6e 73 |lugin\u003e.\u003c/plugins|\r\nThe correct mask to use is \"23 0e a2 a6\" not \"22 0e a2 A6\" as was our [my] first guess, but they were very close\r\nonly differ by \"01 00 00 00\" so, the correction bitmask I used was something like:\r\n(You could also redo everything from \"Fixing the last chunk of XML\" above, if you want to do all that XML correction over\r\n01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00\r\n00000080 67 6f cc f5 23 0e a2 a6 22 0e a2 a6 23 0e a2 a6 |go..#...\"...#...|\r\n00000080 76 65 72 73 69 6f 6e 3e 30 3c 2f 76 65 72 73 69 |version\u003e0\u003c/versi|\r\nCorrection:\r\n00000080 67 6f cc f5 23 0e a2 a6 23 0e a2 a6 23 0e a2 a6 |go..#...#...#...|\r\n00000080 76 65 72 73 69 6f 6e 3e 31 3c 2f 76 65 72 73 69 |version\u003e1\u003c/versi|\r\nSo, the version number tag was still off by one, correcting to \" 1 \".\r\nFor the other version number however, it's an actual unknown byte value,\r\ndependent upon whatever was going through Visual Studio's Linker's tiny little mind at compile time.\r\nThis is the last unknown byte in the file(s). And the only time until now there is not enough information…\r\nYou could say, Well fuck it! It's probably also \" 1 \" like the other two version strings. (There's only a 1 in 16 chance o\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 21 of 31\n\n01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00\r\n000000c0 26 0e fe a6 22 0e a2 a6 26 02 f8 a6 22 0e a2 a6 |\u0026...\"...\u0026...\"...|\r\n000000c0 3e 3d 3c 2f 76 65 72 73 69 6f 6e 3e 0a 3c 2f 70 |\u003e=\u003c/version\u003e.\u003c/p|\r\n000000c0 26 02 fe a6 22 0e a2 a6 26 02 f8 a6 22 0e a2 a6 |\u0026...\"...\u0026...\"...|\r\n000000c0 3e 31 3c 2f 76 65 72 73 69 6f 6e 3e 0a 3c 2f 70 |\u003e1\u003c/version\u003e.\u003c/p|\r\nYou could also try against it, all known @comp.id 's matching the pattern \" 26 ?? fe a6 \". Or, if every other byte up to t\r\nSo, after doing all this, the finished config file that I came up with hashes to 2eddd3fa59f2bbec61415fc599e1aee8\r\nAnd so we can recover the keystream, and decrypt the first 785 bytes of the other three EXE (really DLL) files. This is wh\r\n27e95b028ddde6dbd9f58f3796b54f26 ddos.dll_first_785\r\nd3c76705708d33f95a86da0dedbf5d9d http.dll_first_785\r\nb4a14bdc6d19a805a9bd9008f555a2fa syn.dll_first_785\r\nAnyway, if you have a large malware zoo, you can search for DLL files, which are 11264, 6657, and 16896 bytes long. And wh\r\nAnd if you do this, the files that you find are:\r\n5991402077ab21c5e656550214298f20 ddos.dll [Live Sample]\r\nfe9cf7b3f01816393298ff1345ca3c04 http.dll [Live Sample]\r\n87b71080d75b5ca222fa51ce7563a615 syn.dll [Live Sample]\r\nAll of which I've tossed up on OC for your enjoyment education. None of them are packed, all of the imports to \" main.dll\r\nVerification\r\nSimple Check\r\nEach of these three, when XOR's with its encrypted counterpart, all produce the exact same keystream. So these are the cor\r\nCheck PE Headers\r\nAre you tired of reading this yet, because I'm certainly tired of writing this. Anyway, All you need to know about PE head\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 22 of 31\n\nhttp://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx\r\nYou can sanity check them if you would like, I'm not going to bother. See Appendix F.\r\nCheck Rich Headers\r\nThe hash of the first umpteen bytes should calculate out correctly. I wrote a program to do some of these checks. See Appe\r\nReferences\r\nAbsolutely everything that I could find about the \"Rich\" header.\r\nhttp://ntcore.com/Files/richsign.htm\r\nhttp://web17.webbpro.de/index.php?page=microsofts-rich-header\r\nhttp://www.woodmann.com/forum/archive/index.php/t-11367.html\r\nhttp://trendystephen.blogspot.com/2008/01/rich-header.html\r\nAnd then I saw, http://docs.google.com/Doc?id=dcn764fg_2j54gzfc .\r\nThe Future\r\nNewer versions of \"Black Energy\" — or what everyone calls \"Black Energy v2\" — do something completely different with their\r\nExamine these two cyphertexts. These are the ones I used as examples. Notice how all but a single byte between offsets 0\r\nsyn.dll:\r\n00000000 81 7f 91 83 33 59 b8 82 04 4a de ba 99 87 86 0e |....3Y...J......|\r\n00000010 92 5b e2 78 d0 8a 59 8a ba 4a c5 f4 59 31 48 1e |.[.x..Y..J..Y1H.|\r\n00000020 29 a9 86 92 2d 60 6d 76 e9 6e 84 b8 30 7a 45 3d |)...-`mv.n..0zE=|\r\n00000030 b6 27 30 7d 60 6e 3e 62 1a 71 59 22 ed 45 56 1e |.'0}`n\u003eb.qY\".EV.|\r\n00000040 24 89 84 5c 1d e6 e1 c5 c9 f1 27 22 34 c0 c8 35 |$..\\......'\"4..5|\r\n00000050 fc 69 10 02 e4 31 4d 88 fc f4 38 8b 38 04 f4 00 |.i...1M...8.8...|\r\n00000060 cb de 98 7c c8 fc f8 1b 2e 32 7a 9a 66 d6 16 41 |...|.....2z.f..A|\r\n00000070 20 89 81 2d 04 68 f7 b0 7e da 60 30 62 0e 5d e2 | ..-.h..~.`0b.].|\r\n00000080 df 6e 86 a8 39 1a eb 0b c2 6d cc ab b2 2c 46 3a |.n..9....m...,F:|\r\n00000090 6f 46 01 8c b0 f7 f2 d1 06 74 be 80 68 a0 bd 0c |oF.......t..h...|\r\nhttp.dll:\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 23 of 31\n\n00000000 81 7f 91 83 33 59 b8 82 04 4a de ba 99 87 86 0e |....3Y...J......|\r\n00000010 92 5b e2 78 d0 8a 59 8a ba 4a c5 f4 59 31 48 1e |.[.x..Y..J..Y1H.|\r\n00000020 29 a9 86 92 2d 60 6d 76 e9 6e 84 b8 30 7a 45 3d |)...-`mv.n..0zE=|\r\n00000030 b6 27 30 7d 60 6e 3e 62 1a 71 59 22 fd 45 56 1e |.'0}`n\u003eb.qY\".EV.|\r\n00000040 24 89 84 5c 1d e6 e1 c5 c9 f1 27 22 34 c0 c8 35 |$..\\......'\"4..5|\r\n00000050 fc 69 10 02 e4 31 4d 88 fc f4 38 8b 38 04 f4 00 |.i...1M...8.8...|\r\n00000060 cb de 98 7c c8 fc f8 1b 2e 32 7a 9a 66 d6 16 41 |...|.....2z.f..A|\r\n00000070 20 89 81 2d 04 68 f7 b0 7e da 60 30 62 0e 5d e2 | ..-.h..~.`0b.].|\r\n00000080 55 bf 8d c9 b3 cb e0 6a 48 bc c7 ca 38 fd 4d 5b |U......jH...8.M[|\r\n00000090 e5 97 58 ed 3b 26 f9 b0 4a a6 b7 e1 e1 71 b6 6d |..X.;\u0026..J....q.m|\r\nNow look at these three newer cyphertexts, generated by newer versions of the bot. There is nothing in common.\r\nEXE 1:\r\n00000000 e9 e1 c4 48 3b 42 c2 94 df 90 50 ef d2 8f 10 78 |...H;B....P....x|\r\n00000010 8f 5c f4 c8 d0 0d a4 5c 7c 14 3a 19 f9 d3 f9 7c |.\\.....\\|.:....||\r\n00000020 85 48 6c fa 1d 44 c3 cf 37 8c 19 e3 17 1c d8 b6 |.Hl..D..7.......|\r\n00000030 c8 98 34 70 e6 57 3c 38 0e 9e fa 9e 27 a2 22 4b |..4p.W\u003c8....'.\"K|\r\n00000040 9e 7b 7e d3 5b a4 2b 71 b2 1e 5d fc 69 ee 0e be |.{~.[.+q..].i...|\r\n00000050 ab 20 68 b3 f7 d7 2b 3f 6c 9d 90 0b 62 85 46 e2 |. h...+?l...b.F.|\r\n00000060 00 d9 b2 8e e8 90 0c 06 74 af 2a 70 de c9 ee d7 |........t.*p....|\r\n00000070 7d f3 59 16 2b fe 86 7d 2c 39 b8 68 59 dc 79 c2 |}.Y.+..},9.hY.y.|\r\n00000080 83 99 3c 7d fd 1d f2 ad 3b 9e 2a 18 14 b0 15 95 |..\u003c}....;.*.....|\r\n00000090 ee 3f 3a ab 04 85 be 9d e5 27 c1 02 aa 26 aa 55 |.?:......'...\u0026.U|\r\nEXE 2:\r\n00000000 4f 57 70 aa 8c 86 a0 54 b5 d6 14 d0 3e d5 e1 40 |OWp....T....\u003e..@|\r\n00000010 12 20 c1 44 02 61 26 e1 1b 0a 4d 3a 7b 2a 6a f1 |. .D.a\u0026...M:{*j.|\r\n00000020 02 7c 6f 29 d1 5b c6 11 10 ee d1 c6 8a 03 11 c3 |.|o).[..........|\r\n00000030 42 e1 21 3c 62 2d 98 e6 0d 9c 40 91 48 34 8f b0 |B.!\u003cb-....@.H4..|\r\n00000040 4a 32 70 a3 20 34 e7 02 67 19 eb 2a 0c b5 ed ec |J2p. 4..g..*....|\r\n00000050 83 3a 76 1e 49 b3 13 34 02 82 2f e5 6c 2e be 74 |.:v.I..4../.l..t|\r\n00000060 13 03 4d 07 6f 33 16 68 11 c6 a9 02 c4 3f 77 e2 |..M.o3.h.....?w.|\r\n00000070 5d 34 0a 1e ef cd 2f 50 d4 76 e2 58 a0 c7 af 6d |]4..../P.v.X...m|\r\n00000080 3d 74 a0 99 ef 75 e4 5e 07 d2 0f 96 a9 06 e7 96 |=t...u.^........|\r\n00000090 ce 62 7d 89 4b 1f 08 6d e3 f5 8a fb dc 92 83 87 |.b}.K..m........|\r\nEXE 3:\r\n00000000 1f 60 5a f2 3e c5 25 e1 62 52 9a 2b f9 1d 4f d4 |.`Z.\u003e.%.bR.+..O.|\r\n00000010 77 84 47 d4 8b a4 d9 ea a8 da a8 12 ec d9 ea 6f |w.G............o|\r\n00000020 67 ac 85 27 8f 25 5f 7f cf f9 19 ec 45 0f d3 c5 |g..'.%_.....E...|\r\n00000030 ef 19 cf 52 0c 5d 94 c8 48 8c 34 a7 93 c5 45 a7 |...R.]..H.4...E.|\r\n00000040 74 55 fb fa 12 52 47 ca 87 62 49 62 b2 bc 18 0a |tU...RG..bIb....|\r\n00000050 4e 93 cb d1 34 2b f3 4d 86 9f 2a 1e 13 4f 0a c3 |N...4+.M..*..O..|\r\n00000060 93 26 e8 49 32 40 e1 22 f4 16 69 fd a0 a7 b7 ee |.\u0026.I2@.\"..i.....|\r\n00000070 1e 83 a5 4f fd ff c9 59 cb 32 b9 8e a1 8c 73 8f |...O...Y.2....s.|\r\n00000080 e0 84 49 50 d9 56 79 16 1c 5b 27 0d 95 5a a8 4d |..IP.Vy..['..Z.M|\r\n00000090 c5 2f 73 8e 7a 72 19 b8 74 94 22 d1 45 fb 9c 4c |./s.zr..t.\".E..L|\r\nThe End\r\nYay! I'm done.\r\nAppendix A\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 24 of 31\n\nWhen I say file ^ file = file , that means each pair of bytes, from the same offset in both files, together, and write the\r\nFormally, think of it as something like\r\n You could also say the same thing about summing all the bits over GF(2) . But pretend that I didn't just say all that.\r\nSo, File \" x \" is a stream of bytes, File \" y \" is a stream of bytes, n = min(len(x),len(y))\r\nVaguely almost like this:\r\nwhile ((0!=sysread(IN1, $inbuf1, 1))\u0026\u0026(0!=sysread(IN2, $inbuf2, 1))) {\r\n$outbuf = $inbuf1 ^ $inbuf2;\r\nsyswrite(OUT, $outbuf, 1);\r\n}\r\nAppendix B\r\nThis is how I XOR files together. You might find it useful.\r\nuse Fcntl;\r\nmy $infile1 = shift;\r\nmy $infile2 = shift;\r\nmy $outfile = shift;\r\nmy $inbuf1;\r\nmy $inbuf2;\r\nmy $outbuf;\r\nprint(\"DEBUG: $infile1 ^ $infile2 -\u003e $outfile\\n\");\r\nsysopen(IN1, $infile1, O_RDONLY);\r\nsysopen(IN2, $infile2, O_RDONLY);\r\nsysopen(OUT, $outfile, O_WRONLY|O_CREAT);\r\nbinmode(IN1);\r\nbinmode(IN2);\r\nbinmode(OUT);\r\nwhile ((0!=sysread(IN1, $inbuf1, 1))\u0026\u0026(0!=sysread(IN2, $inbuf2, 1))) {\r\n$outbuf = $inbuf1 ^ $inbuf2;\r\nsyswrite(OUT, $outbuf, 1);\r\n}\r\nclose($infile1);\r\nclose($infile2);\r\nclose($outfile);\r\nAppendix C\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 25 of 31\n\nIf you need to un-HTML-ize this, the only encoding I did on it was:\nsed 's/\u0026/\\\u0026amp;/g' hash.pl | sed 's/\u003c/\\\u003c/g' | sed 's/\u003e/\\\u003e/g'\n#!/usr/bin/perl -w\n# Julia Wolf\n# Rich header hash checker.\n# Public Domain\n# Version 0.0.1 alpha\n# Not really tested, use at own risk and all that jazz.\n# Usage:\n# perl this.pl some.exe\nuse strict;\nmy $file = shift or die;\nsub rol {\nmy $number = shift;\nmy $bitshift = (shift) % 32;\nreturn ( 0x0FFFFFFFF\u0026($number \u0026lt;\u003c $bitshift ) ) |\n( 0x0FFFFFFFF\u0026($number \u003e\u003e (32 - $bitshift) ) ) ;\n}\n# unused\nsub ror {\nmy $number = shift;\nmy $bitshift = (shift) % 32;\nreturn ($number \u003e\u003e $bitshift) | ($number \u003c\u003c (32 - $bitshift) );\n}\nmy $start = 0x80; # TODO\nmy $data = `cat $file`; # Warning: Not portable code\nmy @bytes = split(//,$data);\nmap {$_ = unpack(\"C\",$_); } @bytes;\nmy @dwords = unpack(\"V*\", $data);\n# .text:004651D6 xormaskloop1 : ; CODE XREF: IMAGE::CbBuildProdidBlock(void * *)+105j\n# .text:004651D6 movzx edi, byte ptr [ebx+eax] ; edi = (BYTE) PointerToPE[eax]\n# .text:004651DA mov cl, al ; low byte of loop counter in cl\n# .text:004651DC rol edi, cl ; rotates left the current byte of PointerToPE\n# .text:004651DC ; with the low byte of the loop counter\n# .text:004651DE add eax, 1 ; increment eax\n# .text:004651E1 add esi, edi ; adds the result of the rol to the xor mask\n# .text:004651E3 cmp eax, edx ; is counter \u003c initial xor mask value?\n# .text:004651E5 jb short xormaskloop1 ; if so, goes on with the loop\n# .text:004651E7\nmy $mask = $start;\nfor (my $i=0; $i\u003c$start; $i++) { next if ( $i\u003e=0x3C \u0026\u0026 $i\u0026lt;=0x3F );\nlast if ($i\u003e=$#bytes);\n$mask = $mask + rol($bytes[$i],$i);\n$mask = $mask \u0026 0xFFFFFFFF;\n}\nprintf (\"%016x mask\\n\", $mask);\n#00000080 44 61 6e 53 00 00 00 00 00 00 00 00 00 00 00 00 |DanS............|\n#00000090 05 0c 5d 00 02 00 00 00 c3 0f 5d 00 02 00 00 00 |..].......].....|\n#000000a0 13 08 5d 00 02 00 00 00 83 08 5d 00 0b 00 00 00 |..].......].....|\n#000000b0 00 00 01 00 26 00 00 00 05 0c 60 00 07 00 00 00 |....\u0026.....`.....|\n#000000c0 05 0c 5c 00 01 00 00 00 05 0c 5a 00 01 00 00 00 |...\\......Z.....|\n#000000d0 71 67 c1 ce 00 00 00 00 23 0e a2 a6 23 0e a2 a6 |qg......#...#...|\n#00000080 67 6f cc f5 23 0e a2 a6 23 0e a2 a6 23 0e a2 a6 |go..#...#...#...|\n#00000090 26 02 ff a6 21 0e a2 a6 e0 01 ff a6 21 0e a2 a6 |\u0026...!.......!...|\n#000000a0 30 06 ff a6 21 0e a2 a6 a0 06 ff a6 28 0e a2 a6 |0...!.......(...|\n#000000b0 23 0e a3 a6 05 0e a2 a6 26 02 c2 a6 24 0e a2 a6 |#.......\u0026...$...|\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\nPage 26 of 31\n\n#000000c0 26 02 fe a6 22 0e a2 a6 26 02 f8 a6 22 0e a2 a6 |\u0026...\"...\u0026...\"...|\r\n#000000d0 52 69 63 68 23 0e a2 a6 00 00 00 00 00 00 00 00 |Rich#...........|\r\nmy $thingy = $mask;\r\n# .text:004651F0 xormaskloop2 : ; CODE XREF: IMAGE::CbBuildProdidBlock(void * *)+11Ej\r\n# .text:004651F0 mov edx, [eax+ 4 ] ; edx = data1\r\n# .text:004651F3 mov cl, [eax+ 8 ] ; cl = (BYTE) data2\r\n# .text:004651F6 mov eax, [eax] ; eax = next list item\r\n# .text:004651F8 rol edx, cl ; rotates left edx with cl\r\n# .text:004651FA add esi, edx ; adds the result of the rol to the xor mask\r\n# .text:004651FC test eax, eax ; pointer = 0?\r\n# .text:004651FE jnz short xormaskloop2 ; if not, goes on with the loop\r\nmy $pe_offset = $dwords[15];\r\nif ( $pe_offset ) {\r\nif ( 0x00004550 == $dwords[$pe_offset/4] ) {\r\nprint (\"PE OK\\n\");\r\n} else {\r\nprint (\"PE bad\\n\");\r\n}\r\n} else {\r\nprint (\"PE missing\\n\");\r\n}\r\nmy $rich_offset = 0; #bytes\r\ndo {\r\n$rich_offset++; # in dwords\r\n} while ( ($rich_offset\u003c$#dwords)\u0026\u0026(0x68636952 != $dwords[$rich_offset]) ); # undef check if past end\r\nprintf (\"%016x rich off\\n\", $rich_offset*4);\r\nmy $checksum = $dwords[$rich_offset+1];\r\nif ( $checksum ) {\r\nprintf (\"%016x checksum\\n\", $checksum);\r\n} else {\r\nprint (\"checksum missing\\n\");\r\n}\r\nmy $ugh=0;\r\nfor (my $i=0 ; $i\u003c=$rich_offset; $i++) {\r\nif ( $checksum ) {\r\nif (0x536e6144 == ($dwords[$i] ^ $checksum)) {\r\nprint (\"DanS OK $i\\n\");\r\n$ugh = $i;\r\nlast;\r\n}\r\n} else {\r\nprint (\"No DanS, checksum missing\\n\");\r\n}\r\n}\r\nmy $count = 0;\r\nfor (my $i=$ugh+4; $i\u003c=$rich_offset-1; $i+=2) {\r\nprint(\"Ignore these version numbers for now. The top WORD means something completely different.\\n\"); #TODO\r\n# printf(\"comp.id\\t%i.0.%i ? %i x %i\\n\",(($dwords[$i]^$checksum)\u00260xFFFF),((($dwords[$i]^$checksum)\u003e\u003e16)\u00260x000F),((($dwords[$i]^$checksum)\u003e\u003e17)\u00260x000F), ($dwords[$i+1]^$checks\r\n# printf(\"comp.id\\t%i.00.%i (%i?) x %i\\n\",((($dwords[$i]^$checksum)\u003e\u003e16)\u00260x000F),(($dwords[$i]^$checksum)\u00260xFFFF),((($dwords[$i]^$checksum)\u003e\u003e17)\u00260x000F), ($dwords[$i+1]^$chec\r\n# printf(\"comp.id\\t%i.%i.%i (%i?) x %i\\n\",((($dwords[$i]^$checksum)\u003e\u003e16)\u00260x000F),((($dwords[$i]^$checksum)\u003e\u003e24)\u00260x00FF),(($dwords[$i]^$checksum)\u00260xFFFF),((($dwords[$i]^$check\r\nprintf(\"comp.id\\t%08x\\t%i.%i.%i Occurs: %i\\n\",\r\n($dwords[$i]^$checksum),\r\n((($dwords[$i]^$checksum)\u00260x000F0000)\u003e\u003e16), # 13 major\r\n((($dwords[$i]^$checksum)\u00260x00F00000)\u003e\u003e19), # 10 minor\r\n(($dwords[$i]^$checksum)\u00260x0000FFFF), # 3077 build\r\n# ((($dwords[$i]^$checksum)\u003e\u003e20)\u00260x000F), #\r\n($dwords[$i+1]^$checksum) ); # 2 occurence\r\n# This doesn't help...\r\n# //\r\n# // Symbol format.\r\n# //\r\n#\r\n# typedef struct _IMAGE_SYMBOL {\r\n# union {\r\n# BYTE ShortName[8];\r\n# struct {\r\n# DWORD Short; // if 0, use LongName\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 27 of 31\n\n# DWORD Long; // offset into string table\r\n# } Name;\r\n# DWORD LongName[2]; // PBYTE [2]\r\n# } N;\r\n# DWORD Value;\r\n# SHORT SectionNumber;\r\n# WORD Type;\r\n# BYTE StorageClass;\r\n# BYTE NumberOfAuxSymbols;\r\n# } IMAGE_SYMBOL;\r\n# typedef IMAGE_SYMBOL UNALIGNED *PIMAGE_SYMBOL;\r\n#\r\n# #define IMAGE_SIZEOF_SYMBOL 18\r\n# //\r\n# // Section values.\r\n# //\r\n# // Symbols have a section number of the section in which they are\r\n# // defined. Otherwise, section numbers have the following meanings:\r\n# //\r\n#\r\n# #define IMAGE_SYM_UNDEFINED (SHORT)0 // Symbol is undefined or is common.\r\n# #define IMAGE_SYM_ABSOLUTE (SHORT)-1 // Symbol is an absolute value.\r\n# #define IMAGE_SYM_DEBUG (SHORT)-2 // Symbol is a special debug item.\r\n# #define IMAGE_SYM_SECTION_MAX 0xFEFF // Values 0xFF00-0xFFFF are special\r\n#\r\n$thingy = $thingy + rol( $dwords[$i] ^ $checksum, $dwords[$i+1] ^ $checksum );\r\n$thingy = $thingy \u0026 0xFFFFFFFF;\r\n$count++; # item count\r\n}\r\nprintf (\"%016x thingy\\n\", $thingy);\r\nprintf (\"%016x diff\\n\", $checksum - $thingy ) if ( $checksum );\r\nprintf (\"%016x xor\\n\", $checksum ^ $thingy ) if ( $checksum );\r\nmy $list = ( $count ) * 8;\r\nprintf (\"%016x list len bytes\\n\", $list );\r\nprintf (\"%016x DanS start bytes\\n\", $ugh*4 );\r\nprintf (\"%016x list start bytes\\n\", $ugh*4 + 0x10);\r\nprintf (\"%016x list end bytes\\n\", $list+($ugh*4) + 0x10 );\r\nprint (\"PE == end\") if () ;\r\nmy $padding = ( ( (($thingy \u003e\u003e 5) % 3) + $count ) * 8) + 0x20;\r\nprintf (\"%016x pad\\n\", $padding );\r\nprintf (\"%016x end\\n\", ($ugh*4)+$padding);\r\nprint (\"PE == end\") if ($pe_offset)\u0026\u0026( (($ugh*4)+$padding) == ($pe_offset) ) ;\r\nprint \"\\n\";\r\nexit(0);\r\nAppendix D\r\n2eddd3fa59f2bbec61415fc599e1aee8 1253064020.308867 88.214.243.45 80 192.168.0.2 1038 785 Decrypted Config File\r\n5991402077ab21c5e656550214298f20 1253064023.563605 88.214.243.45 80 192.168.0.2 1039 11264 Decrypted \"ddos\" EXE\r\nfe9cf7b3f01816393298ff1345ca3c04 1253064029.663532 88.214.243.45 80 192.168.0.2 1040 6657 Decrypted \"http\" EXE\r\n87b71080d75b5ca222fa51ce7563a615 1253064034.512609 88.214.243.45 80 192.168.0.2 1041 16896 Decrypted \"syn\" EXE\r\nadae2ddc6ec2cedf9d575b48267b53a4 6657 ddos_x_http\r\n8496ee21928543ee9b49b8df5e1c861b 11264 ddos_x_syn\r\n04c978be26ee36f7cc050795dd2c648b 6657 http_x_syn\r\nc61e182c9b67ab9067138deac9f831a5 785 xml_x_ddos\r\nddb168742d95068046340ee18fa50dbc 785 xml_x_http\r\n0880df84c5b886cbdd0e0be01deed2f6 785 xml_x_syn\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 28 of 31\n\nAppendix E\r\nLook for the value of the @comp.id symbol, in the output from either of these:\r\nnm coff.obj\r\ndumpbin /SYMBOLS coff.obj\r\nBuild @comp.id Notes (probably wrong)\r\n2179 000F0883 Version 7.10.2179 (DDK 3790?)\r\n3052 005F0BEC Version 7.10.3052 ?\r\n3077 000F0C05 Version 7.10.3077 (Visual Studio 2003)\r\n3077 005D0C05 Version 7.10.3077\r\n3077 005F0C05 Version 7.10.3077\r\n3077 00600C05 Version 7.10.3077\r\n4035 7.10.4035 (DDK 3790.1830)\r\n8155 000B1FDB Version 6.00.8155 ?\r\n8168 00041FE8 Version 6.00.8168 ?\r\n8168 000A1FE8\r\n8168 000B1FE8 Version 6.00.8168 ?\r\n8444 001220FC Version 6.14.8444\r\n8447 000420ff Version 6.00.8447 ?\r\n8966 000A2306\r\n9044 00312354\r\n9466 004024FA Version 7.00.9466 ?\r\n21022 0083521E VS2008 9.00.21022.08 ?\r\n21022 0093521E 9.00.21022 ?\r\n30729 00837809 VS2008 (9.0) SP1 15.00.30729.01 ?\r\n30729 00937809 VS2008 (9.0) SP1 15.00.30729.01 ?\r\n50727 006DC627\r\nVS2005 for C objects; 8.00.50727.762\r\nVS2005 (8.0) SP1 14.00.50727.762\r\n50727 006EC627 VS2005 (via 8.00.50727.762)\r\n50727 006EC627\r\nVS2005 for c++ objects;\r\n8.00.50727.762? or 8.00.50727.42?\r\n50727 007BC627 VS2005 (8.0)\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 29 of 31\n\nAppendix F\r\nsyn.dll: file format efi-app-ia32\r\nsyn.dll\r\narchitecture: i386, flags 0x0000010b:\r\nHAS_RELOC, EXEC_P, HAS_DEBUG, D_PAGED\r\nstart address 0x100010ac\r\nCharacteristics 0x210e\r\nexecutable\r\nline numbers stripped\r\nsymbols stripped\r\n32 bit words\r\nDLL\r\nTime/Date Mon Aug 25 16:38:33 2008\r\nMagic 010b (PE32)\r\nMajorLinkerVersion 7\r\nMinorLinkerVersion 10\r\nSizeOfCode 00000e00\r\nSizeOfInitializedData 00003a00\r\nSizeOfUninitializedData 00000000\r\nAddressOfEntryPoint 00000000000010ac\r\nBaseOfCode 0000000000001000\r\nBaseOfData 0000000000002000\r\nImageBase 0000000010000000\r\nSectionAlignment 0000000000001000\r\nFileAlignment 0000000000000200\r\nMajorOSystemVersion 4\r\nMinorOSystemVersion 0\r\nMajorImageVersion 0\r\nMinorImageVersion 0\r\nMajorSubsystemVersion 4\r\nMinorSubsystemVersion 0\r\nWin32Version 00000000\r\nSizeOfImage 00007000\r\nSizeOfHeaders 00000400\r\nCheckSum 00000000\r\nSubsystem 00000002 (Windows GUI)\r\nDllCharacteristics 00000400\r\nSizeOfStackReserve 0000000000100000\r\nSizeOfStackCommit 0000000000001000\r\nSizeOfHeapReserve 0000000000100000\r\nSizeOfHeapCommit 0000000000001000\r\nLoaderFlags 00000000\r\nNumberOfRvaAndSizes 00000010\r\nThe Data Directory\r\nEntry 0 0000000000002610 00000062 Export Directory [.edata (or where ever we found it)]\r\nEntry 1 0000000000002208 000000b4 Import Directory [parts of .idata]\r\nEntry 2 0000000000000000 00000000 Resource Directory [.rsrc]\r\nEntry 3 0000000000000000 00000000 Exception Directory [.pdata]\r\nEntry 4 0000000000000000 00000000 Security Directory\r\nEntry 5 0000000000006000 000000bc Base Relocation Directory [.reloc]\r\nEntry 6 0000000000000000 00000000 Debug Directory\r\nEntry 7 0000000000000000 00000000 Description Directory\r\nEntry 8 0000000000000000 00000000 Special Directory\r\nEntry 9 0000000000000000 00000000 Thread Storage Directory [.tls]\r\nEntry a 0000000000000000 00000000 Load Configuration Directory\r\nEntry b 0000000000000000 00000000 Bound Import Directory\r\nEntry c 0000000000002000 000000b4 Import Address Table Directory\r\nEntry d 0000000000000000 00000000 Delay Import Directory\r\nEntry e 0000000000000000 00000000 CLR Runtime Header\r\nEntry f 0000000000000000 00000000 Reserved\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 30 of 31\n\nThere is an import table in .rdata at 0x10002208\r\nThe Import Tables (interpreted .rdata section contents)\r\nvma: Hint Time Forward DLL First\r\nTable Stamp Chain Name Thunk\r\nThere is an export table in .rdata at 0x10002610\r\nPE File Base Relocations (interpreted .reloc section contents)\r\nSections:\r\nIdx Name Size VMA LMA File off Algn\r\n0 .text 00000d00 10001000 10001000 00000400 2**2\r\nCONTENTS, ALLOC, LOAD, READONLY, CODE\r\n1 .rdata 00000672 10002000 10002000 00001200 2**2\r\nCONTENTS, ALLOC, LOAD, READONLY, DATA\r\n2 .data 00002600 10003000 10003000 00001a00 2**2\r\nCONTENTS, ALLOC, LOAD, DATA\r\n3 .reloc 0000014c 10006000 10006000 00004000 2**2\r\nCONTENTS, ALLOC, LOAD, READONLY, DATA\r\nSYMBOL TABLE:\r\nno symbols\r\nJulia Wolf @ FireEye Malware Intelligence Lab\r\nQuestions/Comments to research [@] fireeye [.] com\r\n \r\nSource: https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nhttps://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html\r\nPage 31 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html"
	],
	"report_names": [
		"black-energy-crypto.html"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434548,
	"ts_updated_at": 1775791878,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ace68cd5f90719a18d84ef8a42f90370629fcd22.pdf",
		"text": "https://archive.orkl.eu/ace68cd5f90719a18d84ef8a42f90370629fcd22.txt",
		"img": "https://archive.orkl.eu/ace68cd5f90719a18d84ef8a42f90370629fcd22.jpg"
	}
}